Timehop Suffers Data Breach

Cornelia Mascio
Luglio 9, 2018

It says no social media content, financial data or Timehop data was affected by the breach - and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital "memories" was affected.

A Timehop security breach has resulted in 21 million users' data being compromised. Names, email addresses and phone numbers have been obtained, and the company urges users to take urgent steps to protect their cellphone numbers ...

Timehop also says none of the "memories", or photos from social media, were taken, nor were private messages and financial data. Timehop also pointed out that there was no indication that any account was illegitimately accessed.

"We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment". In the worst case scenario, hackers could use the stolen number to access bank accounts.

Alarmingly, the company said data thieves could access Timehop's "access tokens" which allow its app to show people old social media posts from services such as Facebook and Instagram.

It does also admit that the tokens could "theoretically" have been used for unauthorized users to access Timehop users' own social media posts during "a short time window" - although again it emphasizes "we have no evidence that this actually happened".

TimeHop, an add-on for Facebook which reminds users of all the things that happened to them in the past, remains hugely popular despite Facebook itself now offering similar functionality within the main interface.

The breach also led to a loss of access tokens that the service uses to access users' posts on other social networks. We have deactivated these keys so they can no longer be used by anyone - so you'll have to re-authenticate to our App. But prior to that its Twitter account was only noting that some "unscheduled maintenance" might be causing problems for users accessing the app...

"An email to the entire user base is in the works for today", he tells TechCrunch.

The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure. "My hopes are that with the new privacy regulations, such as GDPR, companies will take better care of PII and such incidents will become less common". It doesn't store data like credit card information, location data or users' IP addresses either.

Timehop first disclosed the cyberattack publicly in the Sunday blog post, several days after the breach unfolded.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE