The personal data of 21 million Timehop customers has been compromised as hackers were able to breach their backend server environment. Timehop functions by connecting to social media platforms to show users’ past memories. The breach was disclosed on Sunday, July 8th, stating that the breach occurred on the week of July 4th. TimeHop stated in an update on July 11th that the breach included names, email addresses, dates of birth, gender, country codes, and some phone numbers, though no private/direct messages, financial data, social media, or photo content was stolen.
During a technical assessment of the breach, it was shown that the attackers leveraged their attack through stolen admin credentials, which they then used to gain access to the application’s cloud computing environment. From there they attacked Timehop’s production database and started transferring data. Due to the database not using multifactor authentication, it was not hard for hackers to bypass it with the stolen credentials.
Timehop was able to disable the access token keys for all accounts and stated that “none of your memories were accessed”. They also said that the additional data lost was not due to a secondary breach - coincidentally, this was the only data loss incident Timehop has suffered to date. In addition, Timehop reported that there is no evidence to indicate that the attackers were able to use any of the tokens to gain access to social media accounts.
Timehop has updated their statements about the token keys as well. The keys were deauthorized by Timehop acting in concert with social media partners by Sunday, 8 July. Timehop did not report the breach, which was discovered on 5 July 2018 to its users until after it was certain that the keys had been de-authorized and the social media partners had not observed any suspicious activity. Users will have to re-authenticate their token keys to the application in order to continue using it.
Timehop goes on to say that if users used their phone number for login, then Timehop would have the user’s phone number, which in turn would give attackers access to them as well. It is recommended that users take additional security precautions with their cellular provider to ensure that their number cannot be ported, and in the cases of AT&T, Verizon, or Sprint, they can simply add or change their pin. T-Mobile users are recommended to call 611 from a T-Mobile device, or call 1-800-937-8997 to talk with customer services representative to assist with limiting the portability of the customer’s phone number.
Sources https://threatpost.com/timehop-breach-impacts-personal-data-of-21-millionusers/133765/ https://nakedsecurity.sophos.com/2018/07/09/your-social-media-memoriesmay-have-been-compromised/ https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breachaffecting-21-million/