Site navigation

Timehop Data Breach Exposes 21 Million Users

Ross Kelly



Timehop, the highly popular social media nostalgia app, has revealed a massive data breach that could have been easily avoided…

Timehop is a fantastic app used by millions worldwide – the ultimate social media nostalgia trip. Remember that first holiday with your friends? Cute selfies with your other half? Endless pictures of food and dogs? It’s all on there and at your disposal.

Following reports of a data breach, however, you may not be the only one observing what you posted several years ago. The social media app has revealed that its cloud computing environment was hacked on the 4th of July – potentially exposing the data of 21 million users.

On its website, Timehop stated: “On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.”

The stolen data is believed to contain mostly usernames and email addresses. However, of the 21 million compromised accounts, around 4.1 million phone numbers are believed to have been stolen.

A Token Glimpse at your Account

Timehop uses “tokens” provided by social media platforms such as Facebook, Twitter or Instagram to gain access to your old photos and posts. As part of the data breach, these tokens were also taken.

Through this, hackers were able to view some users’ social media posts without their permission. As a result, Timehop says it has voided all social media authorisation tokens it held and has alerted users – who will now be required to re-authenticate each service to continue using the app.

The app also sought to calm fears of further intrusions on separate platforms, claiming that other social media profiles cannot be accessed.

The company said: “We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall.

“In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorised users to access those posts.”

Easy Access?

According to the statement on Timehop’s website, the breach occurred because an access credential to its cloud computing environment was compromised. Perhaps most concerning in this breach is that access was gained largely due to a lack of multifactor authentication.

It said: “We have now taken steps that include multifactor authentication to secure our authorisation and access controls on all accounts.”

This breach appears to have been in the planning stages for quite some time, as the company claimed in another blog post that unauthorised access occurred in December of 2017. Since that time, the intruder had been conducting “reconnaissance” activities for around two days. Since that initial event, the user logged in twice more – once in March 2018 and another in June 2018.

The social media app’s reaction, it claims, was swift. Upon discovering a breach had occurred all necessary agencies were contacted. It has also taken on board a number of cybersecurity specialists to help guide the company through the ongoing crisis.

“Once we recognised that there had been a data security incident, Timehop’s CEO and COO contacted the board of directors and company technical advisors; informed federal law enforcement officials; and retained the services of a cybersecurity incident response company, a cybersecurity threat intelligence company; and a crisis communications company” Timehop said.

Professor Bill Buchanan OBE at Napier University’s Cyber Academy, told Digit that many companies need to invest in adequate cyber security; both defence and practices are critical to an organisation’s security.

He said: “One must thus wonder why the company didn’t implement multifactor authentication before the incident, and it seems that many companies need a wake-up call before they are forced to implement things that should already be there.”

He added that although this appears damaging, the company acted in a prompt and responsible manner, stating: “There are a few things that jump out here, and which point to both good and bad implementations of security. The first is that the company should have implemented MFA on all its accounts, and should also have been alerted on the reconnaissance on its network.

“But the good is that the company managed to report in a clear and concise way within the required time period, and had clear records of the attack which they can use for future intelligence. It does show that investment in data analytic methods and incident response plans – which can detect and stop a breach – is much better than just investing security products.”

Perilous Times

The Timehop data breach isn’t the only cyber security crisis to have unfolded recently. German hosting company, DomainFactory, has taken down its forums following messages from a user claiming to have compromised the company’s security.

Details of the data breach first came to light through Heise, which says it viewed the forum posts in which the attacker claimed to have accessed the systems. Once again, this appears to have been an attack long in the making, as DomainFactory believes the breach occurred in January 2018.

The company says it has secured its systems but has advised customers to change their passwords. In a statement, DomainFactory said: “While we investigate this data breach, we already know that third-parties could have had unauthorised access to the following categories of data: Customer name; Company name; Customer number; Address; Email addresses; Phone number; DomainFactory Phone password; Date of birth; bank name and accounts number; and Shufa score.”

Ross Kelly

Staff Writer

Latest News

%d bloggers like this: