Timehop: Data of 21 million users compromised in July 4 hack

Timehop: Data of 21 million users compromised in July 4 hack
© Getty Images

Timehop, the application that resurfaces old photos and posts on Facebook, on Sunday revealed that hackers had compromised the personal data of millions of its users.

The attackers, according to a preliminary investigation of the breach, stole roughly 21 million email addresses and names from Timehop during an attack last Wednesday, which took place on the Fourth of July.

ADVERTISEMENT
From those affected users, the hackers also gained access to roughly 4.7 million phone numbers, the company wrote in a Sunday blog post.

The hackers' access to phone numbers adds an additional risk to those affected — phone numbers are increasingly used in "two-factor authentication" to boost security in a number of instances, from resetting passwords to authenticating account logins.

Aggressive hackers could potentially use a phone number to get around security firewalls and continue to cause more harm.

Despite this, the company says it has no evidence that "any accounts were accessed without authorization."

"It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported," the company adds.

Timehop also says none of the "memories," or photos from social media, were taken, nor were private messages and financial data.

According to a preliminary review of the attack, hackers used a compromised administrative user's credentials to penetrate Timehop’s cloud computing provider starting in mid-December.

The attacker then logged on intermittently from December to June to conduct reconnaissance, the company says.

The hackers then carried out the attack on the afternoon of July 4. Timehop engineers began to block the attack and lock down the compromised environment less than two hours after the attack began, the company says. 

Timehop, however, did not appear to have multifactor authentication applied across all its accounts before the incident occurred — a security vulnerability that the hackers may have been able to exploit.

"We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts," the company said, noting that this applied to all accounts, not just in those in their cloud environment.

The company also says hackers stole “access tokens,” which were provided to the company by their social media providers.

"These tokens could allow a malicious actor to view without permission some of your social media posts," they write, noting that this largely means access to posts a user posts on their own walls.

"However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts — again, we have no evidence that this actually happened," the company noted.

The company said it has reset all its keys out of "abundance of caution," which will require users to re-authenticate their Timehop accounts before again using its service.

"If you have noticed any content not loading, it is because Timehop deactivated these proactively," the company writes.

Timehop first disclosed the cyberattack publicly in the Sunday blog post, several days after the breach unfolded.

"A significant amount of the time it took to respond publicly was making contact with a large number of partners and sharing information with them to help with a complex technical investigation and coordinate an incident response," the company writes.

The company's post, however, does not make clear if it notified affected users before publicly announcing the breach on Twitter and its own website days after the attack took place.

Timehop downplayed the impact of the attack.

"The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service," the company wrote in part.

"Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your 'Memories' after you’ve seen them."