Timehop hacked, 21 million user’s data theft

Share this…

Information attacks keep coming

Timehop, the social media app was affected by a massive data breach last July 4th, which compromised the personal data of its more than 21 million users, as reported by specialists in secure data destruction from the International Institute of Cyber Security.

Timehop is a very simple app that gathers photos and previous publications from iPhone, Facebook, Instagram, Twitter and Foursquare of its users, and acts like a digital time machine that helps you to find what you were doing exactly at this point in the last years on your social media accounts.

The company revealed last Sunday that unknown attackers managed to enter their cloud environment and access data from 21 million users, including their names, email addresses and more than 4 million phone numbers attached to their accounts.

“We learned of the breach while it was still underway and we were able to shut it down, but some data were leaked”, the company stated in a security notice posted on its website.

Access mechanisms were compromised too

Attackers obtained authorization tokens provided by other social media sites to Timehop to access messages and images on social networks of app’s users. By possessing these tokens, hackers can access to posts on Facebook and other social media without the user’s permission.

However, Timehop claims that all compromised tokens were unauthorized and invalid shortly after the company detected the violation in its network. Stolen access tokens can no longer be used to access any profile of social networks, and the company also claims that there is no evidence that this has really happened.

It is also noted that these tokens don’t provide access to user’s private messages on Facebook Messenger, direct messages on Twitter and Instagram, or anything your friends publish on their Facebook page.

Timehop also trusts that the security breach didn’t affect their messages, financial data, social media content and photos, and other contents of the app.

The company also noted that there is no evidence that any account access without authorization.

No identification factors

The same day Timehop identified the breach secure data destruction specialists reported the Gentoo attack on GitHub that allowed hackers to replace the contents of the project’s repositories and pages with malware after guessing the account password.

The Gentoo attack was possible due to the lack of the Two-factor Authentication Protocol (2FA) in their Github account. The 2FA asks users to enter an additional code besides the password to access the account. The same thing happened in the Timehop attack.

Since the company was not using 2FA, secure data destruction experts commented that attackers were able to access their cloud environment by using a compromised access credential.

Timehop has taken stronger security measures including multifactor authentication throughout the system to ensure authorization and access controls on every account.

In addition, Timehop immediately disconnected all its users from the application after the company invalidated all of its credentials, which means that users will have to re-authenticate each of their social network accounts in the app when they log in to their Timehop account to generate a new access token.

The company is also working with security experts, local and federal law enforcement agencies and their social media providers to minimize the impact on its users.

Since the new General Data Protection Regulation of the European Union defines a violation as “the possibility of generating a risk for the rights and freedoms of persons”, Timehop claims to have notified all its affected European users and is working closely with experts to assist in countermeasures.