Timehop, the extremely popular app that allows users to share their previous moments, has reported that it was the victim of a major data breach over the holiday, which took place on the Fourth of July.
Timehop is available for both iOS and Android smartphone users and, since its startup in 2011, the app has enjoyed tens of millions of downloads. Once a user signs up with Timehop, they are asked to provide the app with access to their smartphone camera roll and their various social media accounts. For example, Timehop will connect with a user’s Facebook account to see past events, photos, statuses, and more. The app also requests permission to access other social media accounts, such as Twitter, Instagram, and Foursquare. Upon signing up with Timehop, the app will resurface old activities from that day, either 1, 2, 3, or even 4 years ago. If, for instance, a user is notified of an old Facebook status from 2 years ago, Timehop will ask the user for permission to share it to their Facebook timeline.
Yesterday afternoon, the company revealed that its cloud computing environment was breached, allowing hackers to steal the data of 21 million Timehop users. This includes names, e-mail addresses, and 4.7 phone numbers that are linked to Timehop accounts. The identity of the hacker(s) is still unknown.
Timehop reports that it was able to stop the attack from continuing, but not in time to prevent the hackers from getting away with a good amount of personally identifiable information. However, on the bright side, no passwords were stolen.
But, because Timehop users link their social media accounts, the hackers were able to steal authorization tokens (keys), which could allow unauthorized viewing of users’ social media content. Fortunately, the extent of access would only include things Timehop has access to, which would NOT include any Facebook messenger conversations, Direct Message conversations on Twitter or Instagram, or any financial information.
In order to foil any attempted unauthorized use of these tokens, Timehop quickly deauthorized all stolen tokens. So far, Timehop reports that there have been no unauthorized use of these tokens. As an extra precaution, Timehop logged all users out of their accounts yesterday for security purposes. Now, Timehop users will have to re-authenticate their social media accounts once they log back in.
Timehop states that “the breach occurred because an access credential to our cloud computing environment was compromised.” This was an administrative account, and once inside, the hacker created a new administrative user account in order to conduct reconnaissance. Normally, an account lockout policy or two-factor authentication would prevent such an attack. Accordingly, Timehop has now instituted system-wide multi-factor authentication.
Timehop is currently working with IR professionals, law enforcement, and digital forensic experts to minimize the impact of the breach.
Timehop users should understand that their phone numbers and e-mail addresses could have been compromised. With the e-mail addresses of Timehop users, hackers can arrange for targeted spear-phishing campaigns that attempt to fool users into revealing more information. Or, they can be used for widespread spam or standard phishing campaigns. Hackers could then use this additional information, as well as your phone number, to complete a SIM jacking attack. Therefore, it would be a good idea to have a pin or passcode set up on your mobile phone account.
Cox, J. (2018). Timehop Just Leaked Your Phone Number, Here’s What You Need to Do. Vice Media, LLC. Retrieved from https://motherboard.vice.com/en_us/article/gy3pgb/timehop-hacked-phone-number-what-to-do-sim-jacking
Kumar, M. (2018). Timehop Hacked — Hackers Stole Personal Data Of All 21 Million Users. The Hacker News. Retrieved from https://thehackernews.com/2018/07/timehop-data-breach.html