The personal data of millions of Timehop customers has been compromised after a hacker gained access to its cloud-based backend computing environment.
Timehop, a service that plugs into users’ social media platforms and shows them memories from the past, disclosed the data breach on Sunday. The company said that last week on July 4, a data breach resulted in hackers swiping the names, email addresses and phone numbers of millions of customers. The hackers also stole social media “access tokens,” provided to Timehop by social media services, for up to 21 million customers.
“We have no evidence that the data has been used,” Timehop said in a statement about the breach. “All the access keys have been de-authorized and cannot be used. Timehop has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.”
The data breach occurred for about two hours and nineteen minutes, said Timehop. While the company was able to shut it down, the hackers had already stolen the data of millions of users.
Timehop said the hackers did not steal financial data, passwords or actual social media “memories” stored by Timehop. They did, however, access social media “tokens,” keys that let the company read and show users their social media posts (not private messages) – meaning hackers could potentially read victims’ social media posts before they were posted.
Timehop said that it has deactivated these keys so they can no longer be used by anyone, and there was no evidence that any accounts were accessed without authorization. Users, for their part, will need to re-authenticate to the app.
“It is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened,” the company said.
Fred Kneip, CEO of CyberGRX, said in an email that the breach comes as social media sites like Facebook are already under fire for their data security and privacy practices.
“It’s an enormous task for these sites to get their own house in order,” he said. “This breach demonstrates that, even if internal policies and procedures are squared away, social media platforms still have to ensure that partners like Timehop have the proper security controls in place to safeguard users’ data. Any company’s digital ecosystem is only as strong as its weakest link – and it only takes one vulnerability from a third party like a partner, supplier or contractor for hackers to gain access to sensitive data.”
How did the breach occur?
Timehop said in a technical assessment, that the breach occurred in December after attackers gained unauthorized access to admin credentials, enabling hackers to compromise the company’s cloud computing environment.
“This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our cloud computing environment,” the company said. “For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorized user logged in again and continued to conduct reconnaissance,” according to the company.
Then, on July 4, the attacker conducted activities including an attack against the production database, and transfer of data. Around 2:43 pm EST, on July 4, the attacker conducted a specific action that triggered an alarm, and that’s when Timehop engineers began to investigate.
The main issue was that the database was not protected by multi-factor authentication, said Timehop. “That cloud computing account had not been protected by multifactor authentication,” the company said. “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”
Moving forward, Timehop said it is conducting a thorough audit, of all accounts, credentials, and permissions granted to all authorized users. It is also in communication with local and federal law enforcement officials.
“Timehop has engaged with its cloud computing provider to inform it of the incident and the actions taken, and to request follow-on assistance,” the company said.
The company also said it is working with European-based GDPR specialists to comply with the General Data Protection Regulation laws, given its multinational customer base. Under GDPR (passed in May), companies with customers inside the EU have 72 hours to report a breach after becoming aware of the incident.
“Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible,” the company said. “We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”