Timehop, an app that reminds social media users about posts from their past, has disclosed that it suffered a major security breach on July 4. According to the company, 21 million users had some form of personal data stolen. Attackers were also able to retrieve access tokens that would have enabled them to view users’ posts on Facebook, Instagram, Twitter, and Foursquare.
On Sunday, Timehop published a blog post in which it described a breach that occurred at 2:04 PM on Independence Day. Remarkably, its cloud servers were not protected by multi-factor authentication, a security protocol that should be considered a default for any company. The hackers are said to have had access to the Timehop system for a little over two hours.
The company has published a detailed timeline of its response but most users will want to know what was stolen and what they need to do next. The names and email addresses associated with 21 million accounts were stolen and 4.7 million of those accounts had a phone number attached. That would be bad enough, but what could be more worrisome is that the intruders were able to take control of the access tokens Timehop uses to pull information from social media accounts. Theoretically, those tokens could be used to view (and scrape) social media posts that aren’t made public, but Timehop claims that it deactivated the tokens quickly and there’s no evidence that anyone’s accounts were accessed.
At the moment, we have to take Timehop’s word on just how significant this breach was and how much information was accessed. In its technical report, it does say that an unauthorized user first accessed its cloud computing provider on December 19, 2017, to conduct reconnaissance. They did this on four other occasions without being detected.
The company says it enlisted the services of an outside cybersecurity incident response company to conduct an audit of its system, contacted law enforcement, and is working with its social media partners to continue monitoring for further breaches. “No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached,” Timehop claimed.
To be safe, users who logged into Timehop with a phone number should contact their cell provider, set a new account password, and ask if there are any other security measures available. Any users who want to log back into Timehop will have to reauthorize the service’s social media access because of the deactivated tokens.
Once again, this news is a reminder that giving a third party access to your social media data puts a lot of trust in the app and is generally just a bad idea.
Update July 11: It’s worse than we thought. According to TechCrunch, “additional information, including date of birth and gender, was also taken.”
[Timehop, Technical report via MacRumors]