Previously, it was thought that only users’ names, email addresses and phone numbers were compromised in Timehop’s recent data leak, however, the company has now revised its initial assessment to include users’ dates of birth, gender and country codes. It has also come to light that the culprit who pinched the data had been able to access their systems since December 2017.
According to their updated technical report, which is still the subject of ongoing investigations, in December the attacker used authorised administrative user’s credential to log into their Cloud Computing Provider and created a new administrative user account. The attacker began reconnaissance activities within the company’s Could Computing Environment, however, no Personally Identifiable Information (PII) was there to be stolen.
However, in April 2018 company staff migrated a PII database into the environment, which the attacker saw when they logged on in June. They logged on again on July 4, the day of the attack, and stole the database containing the PPI.
In light of this additional information, Timehop took the opportunity to reaffirm that of the 21 million accounts affected by the breach, none of the users’ memories – older social media posts- were compromised by the breach. Furthermore, it asserted that not all accounts had been affected equally, for example, only 3.3m accounts had the entirety of their name, email, phone and date of birth taken. But it did concede that all 21m accounts did have at least their name leaked.
Initial Audit Made in Haste
Timehop has assured its users that it is already working on preventing future breaches by enforcing the use of two-factor authentication on its internal systems and by encrypting its databases.
In an interview with TechCrunch a member of the Timehop team explained: “In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything.
“With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed.
“This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon as it became available. A security consultant hired by the company told TechCrunch, under the condition of anonymity, that the new GDPR laws had contributed to the firm’s hasty and incomplete disclosure.”
He said of Timehop’s response: “I think it really says a lot to their integrity that they decided to go fully public the second they knew it was a breach. I want to point out these guys responded within 24 hours with a full-on incident response and secured their environments. That’s better than so many companies.”