Published: Mon, July 09, 2018
Finance | By Claude Patterson

Data breach on Timehop app exposes details of 21 MILLION users

Data breach on Timehop app exposes details of 21 MILLION users

Alarmingly, the company said data thieves could access Timehop's "access tokens" which allow its app to show people old social media posts from services such as Facebook and Instagram.

Timehop said that the details were stolen because it didn't use two factor authentication (2FA) on its cloud computing login. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don't store copies of your social media profiles, we separate user information from social media content - and we delete our copies of your "Memories" after you've seen them.

The company also says hackers stole "access tokens", which were provided to the company by their social media providers.

In an official statement, Timehop says it was able to stop the attack but not before the above data was stolen.

But the company also said the breach had started in December, and that it only became aware of the problem in July.

"We have deactivated these keys so they can no longer be used by anyone", the company said. With the new GDPR privacy law defining a breach as "likely to result in a risk to the rights and freedoms of the individuals", Timehop claims to have notified all its European users of the breach, and that it is working closely with European-based GDPR experts to assist in the counter measures.

Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Installing anti-malware can also be beneficial. Timehop swears blind that the tokens have been revoked and just won't work any more. Timehop system administrators have added the necessary protections for the accounts that didn't have them and are confident such an attack can't be repeated.

Astonishingly, the attack was possible because Timehop didn't itself use 2FA for its cloud computing login!

Timehop users who are anxious the network intrusion and data breach might have impact their "Streak" - aka the number Timehop displays to denote how many consecutive days they have opened the app - are being reassured by the company that "we will ensure all Streaks remain unaffected by this event".

Timehop is making it clear that, "No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected". "We have no evidence that any accounts were accessed without authorization".

It can't be as almost-comforting on the matter of purloined phone numbers, advising that for those who shared such data with the company "It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported". At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate.

Like this: