Timehop, a social networking app that lets people reminisce the good ol’ days by gathering and linking old posts from its users’ social media accounts, suffered a stunning data breach recently that compromised names, email addresses, and phone numbers of up to 21 million users.
The breach occurred after a hacker managed to compromise an access credential to Timehop’s cloud server which was not protected by multifactor authentication. Thankfully, the breach was detected soon after the intrusion took place but the firm couldn’t stop hackers from collecting personal data of millions of users.
“We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts,” the firm said, while not commenting on why multi-factor authentication wasn’t implemented in the first place.
Data of millions stolen in a few hours
The breach was detected on 4th July and the firm acted quickly to stop it and to launch an investigation into what data had been compromised. It said that aside from names, some email addresses, and phone numbers, hackers also compromised “access tokens” provided to Timehop by its social media providers that could enable a malicious actor to view users’ social media posts without permission.
The said “access tokens” have now been terminated to ensure hackers cannot view users’ social media posts. Timehop also logged out all users automatically and has asked them to log in again using one-time authentication codes sent to their phone numbers.
“We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment.
“We immediately began actions to deauthorize compromised access tokens, and are worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases,” the firm said.
It added that while only 4.7 million of the 21 million affected accounts had phone numbers attached to them and that no financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached, there is a high likelihood that the stolen information “will appear in forums and be included in lists that circulate on the Internet and the Dark Web”.
Timehop’s response to the breach
While Timehop didn’t say how many of the affected users were located in Europe, it said that it is notifying all EU users about the breach with assistance from European-based GDPR specialists. However, it did add that informing EU users was a “pro-active” measure as GDPR would only apply if a breach is “likely to result in a risk to the rights and freedoms of the individuals”.
“We’re seeing an increase in breach notification, as organisations do their utmost to adhere to the 72 hour imposed timescales. Although Timehop were guilty of a ‘schoolboy’ error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly,” said Dan Pitman, senior solutions architect at Alert Logic.