Timehop has disclosed a safety breach that has compromised the private knowledge (names and emails) of 21 million customers (basically its total person base). Round a fifth of the affected customers — or 4.7M — have additionally had a cellphone quantity that was connected to their account breached within the assault.
The startup, whose service plugs into customers’ social media accounts to resurface posts and images they could have forgotten about, says it found the assault whereas it was in progress, at 2:04 US Jap Time on July 4, and was in a position to shut it down two hours, 19 minutes later — albeit, not earlier than hundreds of thousands of individuals’s knowledge had been breached.
In keeping with its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud atmosphere in December — utilizing compromised admin credentials, and apparently conducting reconnaissance for a couple of days that month, and once more for one more day in March and one in June, earlier than happening to launch the assault on July 4, throughout a US vacation.
It says no social media content material, monetary knowledge or Timehop knowledge was affected by the breach — and its weblog publish emphasizes that not one of the content material its service routinely lifts from third celebration social networks with a purpose to current again to customers as digital “memories” was affected.
Nevertheless the keys that permit it to learn and present customers their social media content material have been compromised — so it has all keys deactivated, which means Timehop customers must re-authenticate to its App to proceed utilizing the service.
“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, including: “We have no evidence that any accounts were accessed without authorization.”
It does additionally admit that the tokens might “theoretically” have been used for unauthorized customers to entry Timehop customers’ personal social media posts throughout “a short time window” — though once more it emphasizes “we have no evidence that this actually happened”.
“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it provides.
“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”
By way of how its community was accessed, it seems that the attacker was in a position to compromise Timehop’s cloud computing atmosphere by focusing on an account that had not been protected by multifactor authentication.
That’s very clearly a significant safety failure — however one Timehop doesn’t explicitly clarify, writing solely that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”
A part of its formal incident response, which it says started on July 5, was additionally so as to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was multiple susceptible account for attackers to focus on.
Its exec crew will definitely have inquiries to reply about why multifactor authentication was not universally enforced for all its cloud accounts.
For now, by means of clarification, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.” Which does have a definite ‘stable door being locked after the horse has bolted’ really feel to it.
It additionally writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, once more, questions ought to be requested why it took an incident response to set off a “more pervasive” safety overhaul.
Additionally not totally clear from Timehop’s weblog publish: When/if affected customers have been notified their info has been breached.
The corporate posed the weblog publish disclosing the safety breach to its Twitter account on July 8. However previous to that its Twitter account was solely noting that some “unscheduled maintenance” may be inflicting issues for customers accessing the app…
We’ve reached out to the corporate with questions and can replace this publish with any response. Replace: A Timehop spokesman says particular person customers are being notified as they log again in to the app.
“An email to the entire user base is in the works for today,” he tells TechCrunch. “[It] took some time to get our send grid account ready for that many emails as we are not a big email sender in general.”
By way of the explanations behind the multifactor fail, the spokesman mentioned it’s nonetheless investigating why there was a safety lapse “as we do generally make use of it”. “But this employee was here for so long, from back when we were just a baby company, so it seems something got overlooked,” he provides.
In its weblog in regards to the incident, Timehop says that concurrently it was working to close down the assault and tighten up safety, firm executives contacted native and federal regulation enforcement officers — presumably to report the breach.
Breach reporting necessities are baked into Europe’s not too long ago up to date knowledge safety framework, the GDPR, which places the onus firmly on knowledge controllers to reveal breaches to supervisory authorities — and to take action shortly — with the regulation setting a common customary of inside 72 hours of changing into conscious of it (until the private knowledge breach is unlikely to end in “a risk to the rights and freedoms of natural persons”).
Referencing GDPR, Timehop writes: “Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we’re being pro-active and notifying all EU customers and have executed in order shortly as attainable. We’ve retained and have been working carefully with our European-based GDPR specialists to help us on this effort.”
The corporate additionally writes that it has engaged the companies of an (unnamed) cyber risk intelligence firm to search for proof of use of the e-mail addresses, cellphone numbers, and names of customers being posted or used on-line and on the Darkish Internet — saying that “while none have appeared to date, it is a high likelihood that they will soon appear”.
Timehop customers who’re fearful the community intrusion and knowledge breach may need impression their “Streak” — aka the quantity Timehop shows to indicate what number of consecutive days they’ve opened the app — are being reassured by the corporate that “we will ensure all Streaks remain unaffected by this event”.