Hacked: Timehop database breach exposed details of 21 million users

Timehop -- the social network for those who like to reminisce -- has revealed that it fell victim to a security breach on Independence Day. The attacker managed to access an internal database stole the personal data of 21 million users from Timehop's Cloud Computing Environment.

The vast majority of those affected by the "security incident" (as Timehop refers to it) had their names and usernames exposed, but for nearly a quarter of them -- 4.7 million -- phone numbers were also exposed. The hacker also took access tokens which could be used to view users' posts.

See also:

• Gentoo Linux Github Organization repo hack was down to a series of security mistakes
• aLTEr: Hackers can spy on your 4G browsing sessions thanks to LTE flaws
• Gentoo Linux Github Organization hacked and repo code compromised
• Don't panic! Hackers have not found a way to bypass the iPhone passcode limit

Timehop is keen to stress that it quickly deauthorized the stolen token, but it is impossible to say whether the hackers were able to access additional data before this happened. The hack could have been much worse had Timehop not detected it as quickly as it did. The site explains:

On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.

The groundwork for the attack was started back in mid-December when an unauthorized person used an authorized user's credentials to create a new administrative user account that could access Timehop's Cloud Computing Environment. On a couple of occasions after this, the attacker uses the account to "conduct reconnaissance" before unleashing the Independence Day attack. The site was quickly alerted when this attack started and started to lock down security in around two hours.

In a security notification about the incident Timehop informs users about the impact of what took place:

• Some data was breached. These include names, email addresses, and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
• To reiterate: none of your "memories" -- the social media posts & photos that Timehop stores - were accessed.
• Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. We have deactivated these keys so they can no longer be used by anyone - so you’ll have to re-authenticate to our App.
  • If you have noticed any content not loading, it is because Timehop deactivated these proactively.
• We have no evidence that any accounts were accessed without authorization.
• We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.
• You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.
• The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don't store copies of your social media profiles, we separate user information from social media content -- and we delete our copies of your "Memories" after you've seen them.

Timehop says that it is investigating what happened and conducting a complete audit. Following the attack, a number of new security measures have been introduced, including system-wide multi-factor authentication (many people will be concerned that this was not already in place). The company says:

There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades. We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment.  We immediately began actions to deauthorize compromised access tokens, and as we describe below, are worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases.

Timehop has also provided a more detailed breakdown of the attack if you want to lean more about what happened.

Image credit: Piotr Swat / Shutterstock