Timehop app discloses personal data of 21 million users after the hack

A massive data breach could lead to personal data emerging on the Dark Web

Timehop app discloses names, emails and phone numbers of 21 million users

On Sunday, Timehop announced^[1] that the company experienced a major security breach that exposed personal data of 21 million users (almost an entire user base). The app focuses on reminding users about their previous posts on social media platforms, such as Facebook, Twitter, Instagram, etc. and stores such information as email addresses, names, and phone numbers.

According to the company, out of the 21 million affected users, 4.7 million users got their phone numbers accessed, too. Additionally, hackers also snatched social media access tokens that are used by the app and would allow bad actors to view personal posts on social media platforms.

On 4th of July, as soon as the company recognized the cloud-based computing environment has been breached, the access to these keys was deactivated. Fortunately, no private messages or other sensitive information, such as bank account details, were accessed by cybercriminals and considered to be secure.

According to the blog post by Timehop, the damage done was minimal, considering the circumstances:

The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your “Memories” after you’ve seen them.

Nevertheless, security experts are worried that the breached data might start circulating the Dark Web^[2] very soon.

To gain the access to Timehop databases, hackers stole the credentials of admin user account

The attack was discovered on 4th of July at 2:04 US Eastern Time and was stopped two hours and 19 minutes later. Nevertheless, during that time frame window, the data was already accessed.

According to the investigation^[3] conducted by the company, the hacker first accessed cloud-based environment on 19th of December last year, after the credentials of an admin user account were compromised. Surprisingly, the servers were not protected by two-factor authentication,^[4] which is considered to be a mandatory practice for any modern-day company.

The attacker proceeded to log back in a few times in December, once in March and then in June before proceeding with the attack which occurred on the Independence Day.

The company took measures to protect users' accounts in the future

Although the access tokens were deactivated after the breach was discovered, the culprit could have, technically, accessed social media posts that were not even published yet. Nevertheless, Timehop assured that there is no evidence for this activity.

As of now, it is unclear how serious the incident is, and Timehop is following all regulatory procedures, including the GDPR, which forces the company to let victims know about the breach within 72 hours of the occurrence.^[5] Additionally, the company is also working with GDPR specialists to comply with laws, considering that many users originated from Europe.

Timehop also contacted law enforcement, hired a professional cybersecurity team to investigate the incident, conducted an internal system audit, changed all passwords and keys, and added multifactor authentication for all accounts on cloud-based services.

It is quite bizarre, however, that these actions could not be taken on before the breach occurred, preventing information leak of millions of users. It proves that many companies are still lacking a proper time and money investment in security procedures. Stay safe online.