Timehop discloses July 4 data breach affecting 21 million

img

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users (essentially its entire user base). Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.”

It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.

News Comments
0 Shares

Timehop Discloses July 4 Data Breach Affecting 21 Million
Timehop Discloses July 4 Data Breach Affecting 21 Million
Timehop Discloses July 4 Data Breach Affecting 21 Million
Timehop Discloses July 4 Data Breach Affecting 21 Million
Timehop Discloses July 4 Data Breach Affecting 21 Million

Timehop Discloses July 4 Data Breach Affecting 21 Million

Timehop Discloses July 4 Data Breach Affecting 21 Million

Newsletter

Get our Tips and Tricks to your Inbox

This div height required for enabling the sticky sidebar
Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views :