Timehop Admits Data Theft Of 21 Million Users

Social media aggregation app Timehop has admitted it is at the centre of a large data breach after it reported that the data from 21 million users had been stolen on 4 July.

Timehop is a smartphone application that collects old photos and posts from social networking platforms such as Facebook, Instagram, Twitter, and Dropbox photos.

But it seems Timehop’s cloud environment was not total secure after it was compromised by an ‘unauthorised attacker’ who conducted both reconnaissance and then data theft.

Independence day

The ‘security incident’ began in December last year when an ‘unauthorised attacker’ utilised ‘authorised administrative user’s credentials’ to log into Timehop’s cloud computing provider.

This attacker then “created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment,” blogged Timehop. “For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorised user logged in again and continued to conduct reconnaissance.”

Timehop has confirmed that the cloud service data was not protected by two-factor authentication, and matters do a more sinister turn in early July, on US Independence Day.

“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data,” said Timehop. “At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 PM, Timehop engineers had begun to implement security measures to restore services and lock down the environment.”

The firm immediately contacted law enforcement and “retained services of a cyber security incident response company, a cyber security threat intelligence company; and a crisis communications company.”

It seems that the bulk of the data stolen consisted of usernames and email addresses, but 4.7m phone numbers were also nicked in the process. And it seems that tokens provided by social media platforms to Timehop that allowed the app to access images and posts were also stolen.

Expert reaction

Experts pointed to Timehop’s failure to properly secure their cloud platform.

“The rapid adoption of cloud and SaaS services has altered the security paradigm,” said Max Heinemeyer, director of threat hunting at Darktrace. “Cloud-only and hybrid infrastructures bring organisations many undeniable benefits, such as increased agility and scalability on demand. But while organisations can outsource their IT processes, they cannot outsource their security function altogether.”

“The reality is that the cloud can be a security blind spot for organisations and the compromise of credentials, such as we have seen in this Timehop breach, are an increasingly common threat scenario,” said Heinemeyer. Cloud providers struggle to design their platforms with this risk in mind, leaving a gaping security hole for cloud customers.

Another expert pointed to Timehop’s lack of two-factor authentication to protect customer data.

“Timehop allows individuals to remember the good times and, hopefully, the way it has reacted to this breach will help mitigate any bad memories created as a result,” said Ross Brewer, VP and MD EMEA at LogRhythm.

“The company claims that although attackers stole ‘access tokens’, it quickly deauthorised them to ensure the safekeeping of more sensitive content,” said Brewer. “Compromised accounts remain a very real issue, with many businesses seemingly unable to tell when unauthorised individuals are using authorised credentials to access networks. As such, it’s now imperative for organisations to adopt threat detection technology such as User and Entity Behaviour Analytics (UEBA) which can quickly analyse and flag any suspect activity based on user behaviour, random IP addresses or any other potential red flags.

A third expert pointed to the worrying use of reconnaissance before the attacker finally launched his attack.

“Hackers have long managed to conduct successful breaches by conducting uninterrupted reconnaissance of internal IT networks – and Timehop is a prime example of how these tactics still work,” said Andrew Bushby, UK director at Fidelis Cybersecurity.

“As part of the process, attackers will find credentials that gives them access to valuable information – in this instance, user data,” said Bushby. “While Timehop was quick to communicate the breach and comply with EU GDPR, the incident highlights the need for all organisations to have complete visibility into what is happening to their IT systems and proactively hunt for unknown threats.”

“One of the most successful ways to catch out hackers performing reconnaissance is to lure them in using deception techniques in the form of decoys,” he added. “Put simply, Timehop can prevent similar reconnaissance attacks from happening in the future by introducing deception technology as part of a post-breach defense strategy.”

Do you know all about security? Try our quiz!