Data Breach

Timehop data breach, data from 21 million users exposed

Timehop, the service that aims to help people in finding new ways to connect with each other by analyzing past activities, has been hacked.

Timehop is a service that aims to help people in finding new ways to connect with each other by analyzing past activities.

“Timehop created the digital nostalgia category and continues to be THE team reinventing reminiscing for the digital era. We have more “old” photos and content than ever before, yet most of the internet focuses on “new”.” reads its website.

The Timehop service leverages posts from many social networks to build its own memory and use it to create new connections, but something went wrong.

The company admitted that data describing 21 million members may have been exposed.

Unknown attackers breached into its systems, the company discovered the intrusion while the hackers were exfiltrating the data.

“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.” reads the data breach notification published by the company.

Stolen data includes names, email addresses, and some phone numbers, while no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were exposed.

The company pointed out that none of the users’ “memories,” – the social media posts & photos that Timehop stores, were accessed by the attackers.

The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.

The security team locked out the attackers two hours and nineteen minutes later its discovery.

The attackers also accessed the keys that let Timehop read and show you your social media posts (but not private messages), in response to the incident the IT staff at the company has deactivated them, this means that users will have to re-authenticate to their App.

The bad news is that the security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. Timehop tried to downplay the problem explaining that the tokens have been quickly revoked and currently don’t work.

“Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile.” continues the company’s notification.“However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.

Timehop is warning its users that provided a phone number for the authentication of taking additional security precautions with their cellular provider to ensure that their number cannot be ported.

The company now has taken steps to improve the security of its architecture, including the adoption of multifactor authentication to secure our authorization and access controls on all accounts.

Technical details about the incident have been published in this post.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Timehop, Data Breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.