[cjtoolbox name=’NPS Survey’]
Popular Social Media ‘memory’ / time-capsule application – Timehop has today confirmed that it suffered a data breach on the 4th July which affects it’s 21 million users. The data which was stolen included names, email addresses and some phone numbers.
Timehop have confirmed that no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
The unauthorised party (hacker) had compromised one of Timehops systems, which wasn’t protected by multifactor authentication which requires a two-step password verification method.
Read the full release below:
“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.
We commit to transparency about this incident, and this document is part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again
Some data was breached. These include names, email addresses, and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
- To reiterate: none of your “memories” – the social media posts & photos that Timehop stores – were accessed.
- Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. We have deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.
- If you have noticed any content not loading, it is because Timehop deactivated these proactively.
- We have no evidence that any accounts were accessed without authorization.
- We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.
- You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.
- The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your “Memories” after you’ve seen them.
WHAT IS NEXT FOR USERS?
Because we have invalidated all API credentials, you will be asked to log in again to Timehop and re-authenticate each service you wish to use with Timehop. This will generate a new, secure token. Because your data’s integrity is our first priority, we have deauthorized tokens as quickly as possible. As we mentioned, if you have noticed any content not loading, it is because we deactivated these tokens proactively. Additionally, user streaks have been frozen and maintained for the time being. If you have any issues please let us know.
Phone Number Security
If you used a phone number for login, then Timehop would have had your phone number. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.
If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.
If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.
For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.
At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.
The attack was detected, and two hours and nineteen minutes later – at 4:23 PM that same day – our engineers locked out the attackers (for a more complete technical description of the attack, please see this post). We have now updated our security to alert on the kinds of activities that were conducted.
While we continue to investigate, we have confirmed that this intrusion led to a breach of some data:
- Names, some email addresses, and some phone numbers belonging to our customers have been compromised.
- Additionally, “access tokens” provided to Timehop by our social media providers were also taken. These tokens could allow a malicious actor to view without permission some of your social media posts. (as you will read below, we have terminated these tokens and they can no longer be used). In situations where our social media partners made use of two-part keys – a user part and a “secret” part – our secret parts of the keys were not compromised.
While we investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens.
Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.
All the compromised tokens have been deauthorized, and are no longer valid. In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens.
HOW HAS TIMEHOP RESPONDED?
On the 4th of July, when Timehop detected the activity, our engineers moved rapidly to limit the damage created by this breach. It is moving aggressively and proactively to notify users, partners, and customers that the breach occurred. Timehop’s first priority has been to defend the social media and account data of its customers.
To that end:
- Timehop has conducted an initial audit, and is conducting a thorough audit, of all accounts, credentials, and permissions granted to all authorized users; and deployed enhanced security protocols to secure our systems, remove the intruders and protect your data.
- Timehop has engaged a well-established and experienced cyber security incident response firm to lead the response, understand any exposure or potential exposure of customer data, ensure that no follow-on attacks are in progress, and create a recovery architecture.
- Timehop has engaged with its cloud computing provider to inform it of the incident and the actions taken, and to request follow-on assistance.
- It has engaged a cyber threat intelligence and dark web research firm to gain intelligence about the attack and, working hand-in-hand with the incident response firm, helping to prevent further attacks.
- Timehop is in communication with local and federal enforcement officials, and is providing all requested information to cooperate in all respects with any investigation.
- Proactive and intensive collaboration and cooperation with our partners enabled Timehop to quickly assess the broader situation. We continue to monitor any impact with the help of these critical partners.
WHAT ARE ALL THESE TERMS, AND WHAT DO THEY MEAN
An attacker is a user who gains access to our systems without our permission. Another common way to put it is that an attacker is an unauthorized user, or a “hacker”.
A Compromise is an incident in which an unauthorized user breaks the confidentiality, integrity, or availability of a service – quite simply, it means that our security was broken.
During a Compromise (or, “When our security is broken”) any data that the attackers – the unauthorized users – may have been able to look at, copy, or download can be considered to have been exposed.
A Breach is when data is actually taken from (or, “exfiltrated”) from our computing environment. It means that the attacker was able to break through our security and take what they wanted. This is different from a mere intrusion, which just means that someone got in to our system.
A Network Intrusion is any time an unauthorized user, or attacker, is able to penetrate our network defenses and gain access to data or resources within our network.
An encryption key is used to encrypt or decrypt, data. A computer uses an encryption key to access data or services in much the same way a human uses a user name and a password. An encryption key is a string of characters that is created to scramble and unscramble data.
An access token identifies a specific account and its credentials; it is sort of similar to the way your bank uses a routing number and account number to send money.
Cloud Computing Provider
Cloud computing is a fancy way to describe a data center not within our corporate headquarters, where our servers are stored and operated, and reached via the Internet. The best known cloud computing providers are Amazon Web Services, Microsoft Azure, and Google Cloud, but there are many such providers.
Cyber Reconnaissance is the activity of looking around in a computer network and becoming familiar with what kinds of computers, services, and data are present.
The Dark Web is a set of Internet web sites that anonymize user traffic, and are accessible only using special encryption software. The Dark Web holds legitimate and illegitimate services and Web sites.
FREQUENTLY ASKED QUESTIONS
What was breached and when?
A database containing usernames, phone numbers, email addresses, and social media access tokens was breached on July 4, 2018. Social media access tokens were taken for all accounts. Not all accounts had names, phone numbers, or email addresses.
How sensitive is the information?
The names of some of our customers were breached. We note that In many cases these are not the customer’s full legal name but rather the social media name as listed on their account. Some of our customer’s email addresses were lost, and a smaller number of our customers’ phone numbers. No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.
How many users were affected?
Some 21 million accounts were affected with a name and email. Just under 22%, or 4.7 million of those accounts have a phone number attached to them.
Will this affect my Streak?
No! Many people have asked, and the answer is that we will ensure all Streaks remain unaffected by this event. If you have any issues please let us know.
Do you know if the data has been used?
We have no evidence that the data has been used. All the access keys have been de-authorized and cannot be used. Timehop has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.
What actions have you taken to ensure that this is the extent of the breach and won’t happen again?
There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades. We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We immediately began actions to deauthorize compromised access tokens, and as we describe below, are worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases.
Has law enforcement been informed?
Yes. Timehop is in communication with local and federal law enforcement officials and will cooperate with all investigations on this matter.
What are the implications in Europe under the new GDPR privacy law?
Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”