Data of 21 million Timehop users exposed
PERSONAL details, including names and e-mail addresses of over 21 million Timehop app users have been exposed due to a data breach. About 4.7 million of those accounts had phone numbers attached to them.
Timehop is an add-on app used by social media users to reminisce about the good ol’ days. It was popular before Facebook rolled out its Memories feature, and the app was also used by many Twitter and Instagram fans.
The startup admits that the breach occurred due to unauthorised access to its Cloud computing service, which it says was not protected by a multi-factor authentication.
The breach was detected two hours after it happened, and although Timehop managed to disrupt the data transfer, it did not manage to stop some of the data theft. On top of personal data, the attackers also reportedly took “access tokens” provided to Timehop by the social media platforms.
Timehop states that the tokens could allow attackers to view some of the social media posts uploaded by the affected users in the past. However, the startup claims that it has already taken measures to terminate the tokens and that they are no longer available for use.
“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your Memories after you’ve seen them,” states Timehop.
The case is still under investigation and Timehop stresses that there has been no report of unauthorised access of user data through the access token. It also states that the tokens do not provide anyone access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or even the items posted by the users’ friends on their Facebook walls.
Alarmingly, Timehop – which only has access to users’ posts on their own profiles – admits that there was a short time window where it was “theoretically” possible for the hackers to gain access to those said posts.
However, it stresses that there has been no evidence of such an occurrence. Timehop claims that it is working with a cybersecurity company to search the Internet and Dark Web to find out if any of the data have been leaked. So far, there is no evidence that such activity has happened, though Timehop believes that there is a high likelihood that the data will appear in forums and circulated on the Internet and the Dark Web.
As a result of this breach, Timehop claims that it has taken steps to include multi-factor authentication to secure authorisation and access control on all accounts.
As Timehop has invalidated all API credentials, users have been automatically logged out of the app, and users will be asked to log in again to Timehop and reauthenticate each service they wish to use with Timehop. This process, it says, will generate a new, secure token.
“We immediately conducted a user audit and permissions inventory, changed all passwords and keys, added multi-factor authentication to all accounts in all Cloud-based services, revoked inappropriate permission, increased alarming and monitoring, and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We will employ the latest encryption techniques in our databases,” it states.