Sunday 23rd September 2018

Timehop announces data breach affecting 21 million users

An unauthorized user obtained administrator privileges and accessed Timehop's Cloud Computing Environment on a number of occasions between December 2017 and July 2018. Users' names, email addresses and phone numbers have been compromised in the breach.
Jason Smith
by on 10th July 2018

Timehop, an application that archives social media posts, has announced a data breach affecting 21 million users.

The breach occurred on 4th July 2018 and was reported by Timehop on 8th July 2018. Timehop detected the “network intrusion” as it occurred and two hours and nineteen minutes later managed to “lock out the attackers”.

However, in its technical explanation about the attack it states an authorized administrative user’s credentials were compromised on 19th December 2017.

Consequently, an unauthorized user created a new administrative account and conducted “reconnaissance activities” within Timehop’s cloud computing environment in December 2017, as well as on one day in March 2018 and one day in June 2018.

Meanwhile, the “network intrusion” on 4th July consisted of an attack on Timehop’s production database as well as the transfer of data. It’s unclear why it took until 4th July 2018 for Timehop to realize an unauthorized user had managed to obtain administrator privileges.

As EU citizens have been affected the breach falls under the scope of the General Data Protection Regulation (GDPR), which demands organizations announce data breaches within 72 hours of discovering them.

According to Timehop, data affected in the breach comprises users’ names, email addresses and “some phone numbers,” however it also states no financial details, private or direct messages or social media posts were leaked.

In an announcement about the breach it also states users’ social media access tokens, which allow third-party developers access to users’ social media accounts, were compromised and have since been deactivated.

Consequently, there was a “short time window,” before the access tokens were deactivated, in which the attackers could have gained access to users’ social media accounts. Timehop states it has “no evidence that this actually happened”.

Moreover, Timehop claims the access tokens provided by users only granted it access to a user’s social media posts i.e. they didn’t provide access to direct messages or content posted by friends.

In its announcement it also claims “GDPR regulations are vague on a breach of this type” but it is proactively alerting all of its EU users about the breach “as quickly as possible”.

It also states it has informed “local and federal law enforcement officials” and “will cooperate with all investigations on this matter”.