Yet another massive data breach and this time it is Timehop. Timehop Data Breach exposed personal data of 21 million users.
On July 4, 2018, Timehop experienced a network intrusion that led to this breach. This breach exposed names, email addresses and phone numbers of 21 million users, which is considered as sensitive personal information. Timehop also confirmed that no financial data was exposed as part of this data breach.
Timehop links user accounts with other social media websites and cloud drives like Facebook, Twitter, Instagram, Google Photos, Apple Photos, and Dropbox. Keys or authentication tokens, which are used to access these accounts were also compromised. These tokens could allow a malicious user to view your social media posts. However, Timehop has deactivated these keys so that attackers can’t misuse it to access social media accounts.
As reported by the company, on July 4, 2018 at 2:04 pm, Timehop observed a network intrusion. Timehop Data Breach occurred because an access credential to cloud computing environment was compromised. That cloud computing account had not been protected by multi-factor authentication.
The breach lasted for approximately 2 hours 19 mins. Timehop was able block the attacker at 4:23 PM the same day.
Sensitive Information Compromised
The names, email addresses and phone numbers of Timehop users were breached. According to Timehop, No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached. 21 million accounts were affected with a name and email, as reported by Timehop only 22% or 4.7 million of those accounts have a phone number.
So far, there is no confirmed reports of any unauthorized access of user data through the use of access tokens, which are used to access connected social media and cloud drive accounts.
What You Need to Do
Protect Phone Number
If you are Timehop user and you used a phone number to login on Timehop, first thing you need to do is to protect phone number. If your phone number is already protected by PIN for any important changes on your account, then might be safe. But, you should reach out to your service provider to get further information on protecting your phone number to ensure that it can’t be ported.
We use our phone number for everything these days. In most cases, it’s your 2-step verification system, which means that you receive all the login codes via SMS for various accounts. If a hacker can access your phone number, it may be a bigger issue than you can imagine. It’s called Sim Hijacking.
It’s a good time to check that you have a pin or pass-code setup with you mobile service provider. These are the codes that you have to present when asking for certain significant changes on your account.
Email and Password
Having your email address exposed may not be an issue. Timehop didn’t mention anything about the passwords and passwords were not part of Timehop Data Breach.
How Timehop can protect you in future
As reported by Timehop in their security notification
There is no such thing as perfect when it comes to cyber security.
but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades. We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multi-factor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We immediately began actions to de-authorize compromised access tokens, and as we describe below, are worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases.
Implications under GDPR
Timehop company says, although GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.