No announcement yet.

Data of 21 million users exposed in Timehop attack

  • Filter
  • Time
  • Show
Clear All
new posts

  • Data of 21 million users exposed in Timehop attack

    As a security precaution, users have been automatically logged out of the app and will be required to sign in. — Timehop

    Personal details, including names and e-mail addresses of over 21 million Timehop app users have been exposed due to a data breach. About 4.7 million of those accounts had phone numbers attached to them.

    Timehop is an add-on app used by social media users to reminisce the good ol' days. It was popular before Facebook rolled out its "Memories" feature, and the app was also used by many Twitter and Instagram users. The startup admits that the breach occurred due to unauthorised access to its Cloud computing service, which it states was not protected by a multi-factor authentication.

    The breach was detected two hours after it happened, and although Timehop managed to disrupt the data transfer, it did not manage to stop some of the data theft. On top of personal data, the attackers also reportedly took "access tokens" provided to Timehop by the social media platforms.

    Timehop states that the tokens could possibly allow the attackers to view without permission some of the social media posts uploaded by the affected users in the past. The startup claims that it has already taken measures to terminate the tokens and that they are no longer available for use.

    "The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don't store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your 'Memories' after you've seen them," states Timehop.

    The case is still under investigation and Timehop stresses that there has been no report of unauthorised access of user data through the access token. It also states that the tokens do not provide anyone access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or even the items posted by the users' friends on their Facebook walls.

    Alarmingly, Timehop – which only has access to the users post on their own profiles – admits that there was a short time window where it was "theoretically" possible for the hackers to gain access to those said posts.

    However, it stresses that there has been no evidence of such occurrence. Timehop claims that it is working with a cybersecurity company to search the Internet and Dark Web to find out if any of the data have appeared. So far, there is no evidence that such activity has happened, though Timehop believes that it is a high likelihood that the data will appear in forums and circulated on the Internet and the Dark Web.

    As a result of this breach, Timehop claims that it has taken steps to include multi-factor authentication to secure its authorisation and access controls on all accounts.

    As Timehop has invalidated all API credentials, users have been automatically logged out of the app, and users will be asked to log in again to Timehop and re-authenticate each service they wish to use with Timehop. This process, it says, will generate a new, secure token.

    "We immediately conducted a user audit and permissions inventory, changed all passwords and keys, added multi-factor authentication to all accounts in all Cloud-based services, revoked inappropriate permission, increased alarming and monitoring, and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We will employ the latest encryption techniques in our databases," it states.