Timehop recently announced it suffered a data breach that affected 21 million user accounts. While the U.S. celebrated its independent liberty on July 4th, hackers took the liberty of stealing the personal data of some 21 million people who use Timehop, a cloud application that resurfaces social media posts from the past. Launched back in 2011, it collects all of your Facebook, Instagram, Twitter and Foursquare posts, which it then uses to playback for its subscribers in reminiscent fashion. The company disclosed just four days later that a breach had occurred on July 4 at 2:04 PM. The hackers had complete access to the Timehop systems for over two hours when technical personnel discovered the intrusion and immediately began shutting down the system. During those two hours, the perpetrators were able to confiscate the names and email addresses of 21 million user accounts. In addition, they were able to acquire the phone numbers of 4.7 million users.
Post Hack Management
To their credit, the company has been extremely forthcoming in how the attack occurred, offering full disclosure on its website. According to their released technical report, the attacker first accessed the system back on December 19, 2017 by acquiring the credentials of an authorized administrative account. The unauthorized user then created a new administrative user account and began conducting reconnaissance activities within the Timehop server environment. Further snooping was implemented in March of 2018. On June 22, the attacker accessed the system to discover a database recently migrated by Timehop employees. The attack was then implemented two weeks later. Being a national holiday, the attackers obviously chose the date on the premise that the company would have a diminished staff. Fortunately, there was indeed competent staff personnel who were able to recognize the threat in a timely manner.
In addition to personal data, the intruders obtained access to a series of access tokens that Timehop uses to pull information from social media accounts. Using these tokens, the perpetrators could use them to view unpublished social media posts. Part of the system shutdown performed by Timehop included the deactivation of these tokens. Any users with active sessions were logged out of the application as well. The company has been clear in stating that the tokens do not give anyone direct access to anyone’s social media accounts and there is no evidence that the attackers ever had the opportunity to utilize the stolen tokens. Timehop is also assuring the public that no private messages, financial data or social content of any kind were accessed or compromised. Said Timehop officials, “no one can access the personal memories of our users.”
Importance of a Multifactorial Authentication System
While Timehop is doing everything required in follow-up to the breach, they opened themselves up to an attack by failing to adopt a multifactor authentication system for their internal users, not to mention privileged accounts. A multifactorial authentication security systems act as a second wall of defense for accounts. The most popular form is the transmission of an SMS PIN sent to a registered phone number of the designated user. While many security professionals consider this measure to be “default” for any organization today, many enterprises have failed to implement one as of yet. Without this security addition, remote users can covertly access user accounts through the implementation of credential stuffing accounts that eventually conjecture the password. Timehop is now enabling multifactor authentication for all accounts.
Timehop has hired a cyber-threat intelligence company to monitor the personal data that was stolen in the data breach. The company will scan forums and lists on the dark web for the acquired names, email addresses, and phone numbers. The company is fully cooperating with local and national law enforcement to aid in the investigation. In light of the attack, the company has hurriedly implemented a multifactor authentication system for its cloud-based accounts. Those who feel that their phone numbers were compromised are being encouraged to contact their cable providers in order to protect their accounts. All users are required to login to the system and re-authenticate their accounts.
The Timehop incident is a clear example of how our personal data is widely dispersed in so many places. Oftentimes, we do not think about how much personal contact information is littered throughout the internet until we are notified by security alerts. Although it did not occur in this case, the Timehop breach shows how a hacking attack on one company can open up access to related accounts hosted on other company systems. In essence, our data is only as secure as the weakest link in the chain.