A Data Breach Affecting 21 Million Users Hits Timehop App
Timehop is an application that reminds you how embarrassing your old tweets and Facebook statuses are. It's now time for Timehop's creators to feel embarrassed because thanks to their sloppy security practices, they suffered a cyberattack that was completely avoidable.
It all started in December 2017 when, using stolen credentials that belonged to a Timehop administrator, cybercriminals accessed one of the app creator's servers. Back then, the server in question had nothing of interest for the crooks, but they nevertheless created an administrator account of their own so that they can keep an eye on it. Over the next several months, they would periodically log in to check if there's anything they might fancy stealing.
Throughout all this, Timehop's administrators were none the wiser, and in April, they decided to migrate a database containing quite a lot of their users' personal data to the compromised server. When they logged in again in June, the crooks noticed the sensitive information, but they decided not to steal it immediately. The hit would take place on July 4, when most of Timehop's employees would be celebrating US' Independence Day.
The clever timing certainly did the trick. When they were called in, Timehop's engineers thought that they were dealing with a simple outage. To remedy it, they reset the database password and, without knowing it, kicked the criminals out, but it was already too late. It wasn't until the next day that Timehop's technicians realized that they were dealing with a data breach.
Approximately 21 million users are affected. At first, Timehop thought that the only stolen personal details were names, email addresses, and phone numbers, but after further investigation, they realized that some users also had their dates of birth, gender, and country codes leaked. Worryingly, social media access tokens were lifted as well.
These access tokens are at the heart of Timehop's operation. In order to remind you of that Facebook post from two years ago, the app needs to see it, and the access tokens act as permits to view what you've shared. The fact that the crooks made off with them means that they too had the ability to read users' social media profiles. Thankfully, Timehop and their social networking partners' quick reactions meant that the access tokens were invalidated before the crooks could do any damage.
We must say that when it comes to the disclosure and post-factum handling of the incident, we've seen a lot worse. Timehop put out a report and a timeline that go into great detail explaining exactly what happened. Users can really understand how it all panned out, and how Timehop reacted to the breach. They can also get some tips on how to protect themselves now that their data is circulating around the hacking forums. All in all, Timehop's management appear to be extremely transparent and honest about the whole thing.
Unfortunately, this is no excuse for their horrific security policies prior to the breach. The crooks spent months gathering intelligence undetected, and while you could put this down to their sophistication, some of Timehop's blunders are quite simply unexplainable. It's the 21st century, and if you're handling the data of millions of people without using basic security mechanisms like multi-factor authentication, you've completely failed to understand what your responsibilities toward your users are. Here's hoping that this will be a lesson to software developers the world over.