The application—which resurfaces users’ memories from their photos and videos on Facebook, Instagram, Twitter, Swarm and their mobile devices, one day at a time—announced on its website that it was the victim of a “network intrusion” July 4.
Here are the most important things to know about the data breach at Timehop and the company’s response to it:
- Names, email addresses and “some” phone numbers for 21 million Timehop users were breached.
- Private and direct messages, financial data, social media content, photos and Timehop data, including streaks, were not affected. Timehop wrote, “To reiterate: none of your ‘memories’—the social media posts and photos that Timehop stores—were accessed.”
- The keys that allow Timehop to read and show users their social media posts (but not private messages) were also compromised, and Timehop deactivated those keys, meaning that users will have to reauthenticate to the app.
- If any users’ content is not loading, it was deactivated by Timehop “proactively.”
- Timehop said it has no evidence that any accounts were accessed without authorization.
Aside from having to log into Timehop and reauthenticate every service people want to use with the app, Timehop provided the following suggested security steps for people who used their phone numbers to login to the app:
“If you used a phone number for login, then Timehop would have had your phone number. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported. If AT&T, Verizon or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this. If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer-care representative to assist with limiting portability of your phone number. For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.”
The company provided the following detailed description of what transpired July 4: “At 2:04 U.S. Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts. The attack was detected, and two hours and 19 minutes later—at 4:23 p.m. that same day—our engineers locked out the attackers (for a more complete technical description of the attack, please see this post). We have now updated our security to alert on the kinds of activities that were conducted.
Timehop also revealed its responses to the event, which included:
- The company is conducting “a thorough audit” of all accounts, credentials and permissions granted to all authorized users, and enhanced security protocols are being deployed.
- “A well-established and experienced cybersecurity incident response firm” is on board to lead Timehop’s response to the event, determine exposure or potential exposure of user data, ensure that no further attacks are ongoing and create a recover architecture.
- Timehop’s cloud computing provider was informed about the incident and the actions that were taken, and follow-up assistance was requested.
- A “cyber-threat intelligence and dark web research firm” is working with Timehop and the incident response firm mentioned above to gather intelligence on the attack and prevent future attacks.
- Timehop said it is in communication with local and federal enforcement officials and providing all requested information to aid their investigations.
Finally, the company addressed possible implications in the European Union due to its recently enacted General Data Protection Regulation: “Although the GDPR regulations are vague on a breach of this type (a breach must be ‘likely to result in a risk to the rights and freedoms of the individuals’), we are being proactive and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”