Timehop announced today that the company suffered a major data security breach on July 4. The app reminds social media users of posts from their past, and according to the company, 21 million users have had some form of personal data stolen as part of the incident.
The app’s attackers allegedly obtained access tokens that allowed them to view users’ Facebook, Instagram, Twitter, and Foursquare posts.
According to a technical report from Timehop, the initial attack took place on December 19, 2017 when an authorized administrator’s credentials were used by an unauthorized user. However, the attacker waited until 2:04 PM on July 4th to “attack against the production database and transfer data.”
Timehop’s report also noted that the attackers created a new administrative account and “began conducting reconnaissance activities within [the] Cloud Computing Environment.” The unauthorized user then performed reconnaissance activities for two days after the initial attack, in addition to one day in March 2018 and one day in June 2018.
Timehop’s cloud servers were not protected by a multi-factor authentication -- a security protocol that many consider to be standard for most companies.
“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service,” Timehop said in a statement. “Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content -- and we delete our copies of your ‘Memories’ after you’ve seen them.”
A look into the breach
The names and email addresses of 21 million users were stolen, with 4.7 million of those accounts having phone numbers attached to them. Additionally, because the attackers garnered control of Timehop’s access tokens, they were able to pull information from users’ social media accounts.
Timehop reported that the tokens were deactivated quickly so the attackers’ couldn’t view the posts or take any of the information from them, and there is no evidence that any accounts were accessed.
Following the breach, Timehop announced that it was conducting an investigation with the help of an outside cybersecurity incident response company. This will involve an audit of Timehop’s system, contact with law enforcement, and coordination with social media partners to prevent any future breaches.
“No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached,” Timehop reported.
“There is no such thing as perfect when it comes to cyber security, but we are committed to protecting user data,” the company report said. “As soon as the incident was recognized we began a program of security upgrades.”
Users are being asked to log back into all social media accounts upon reopening the Timehop app, and are being notified of the breach.
“An email to the entire user base is in the works for today,” a Timehop spokesperson told TechCrunch. “[It] took some time to get our second grid account ready for that many emails, as we are not a big email sender in general.”
Timehop users who are concerned about their “Streak” -- the number that Timehop displays of how many consecutive days users have opened the app -- are being reassured by the company that it will “ensure all Streaks remain unaffected by this event.”