Names and email addresses of as many as 21 million Timehop users may have been compromised as a result of a data breach that occurred on July 4. Timehop, a service that aggregates old photos and posts from various social media accounts — including Facebook, Instagram, Twitter, Google Photos, and Dropbox — discovered the attack on its service as it was unfolding, but it took several hours for the company to contain the breach.
“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data,” the company revealed a few days following the breach. “At 2:43 pm U.S. Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 p.m., Timehop engineers had begun to implement security measures to restore services and lock down the environment.”
Timehop’s initial investigation revealed that no user content was compromised as a result of the breach. Engineers deactivated keys that linked Timehop’s service with other social media platforms as a response, so users will have to re-authenticate with those services. Still, in addition to names and email addresses, as many as 4.7 million phone numbers may have also been exposed as a result of the attack, TechCrunch reported.
“While we were confident that the access keys to those services had not been used, we felt that potential exposure of that content urgently justified a service interruption to ensure that attackers could not, for example, view personal photos,” the company said. “Through conversations with the information security, engineering, and communications staff at these providers, we were able to deactivate the keys and confirm that no photos had been compromised.” Timehop further noted that these tokens would not have given anyone access to private information, such as Facebook Messenger messages or Twitter Direct Messages.
According to the company, the first stage of the attack occurred on December 19, 2017 when an unauthorized user obtained the credentials of an administrative user to create a new administrative-level account. The attacker was able to do this because the original administrative account was not protected by multi-factor authentication, and Timehop has since taken steps to secure accounts to prevent another similar attack from happening. The attacker used the newly created administrative account to log into Timehop’s servers in March and June, with the attack taking place in July.
Although the attacker may have had access to some of your social posts on Facebook, Instagram, and Twitter, Timehop informed users that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts.” Despite the security breach, Timehop maintains that it found “no evidence that any accounts were accessed without authorization,” and it claims that because it pulls only the data that it needs for the service, it was able to minimize a potentially larger exposure. Timehop has notified law enforcement about the breach and retained the services of a cybersecurity agency to monitor the dark web to ensure that user data doesn’t get leaked.