Timehop data breach is worse than they initially said

Dates of birth and gender were also stolen by hackers.

Timehop data breach is worse than they initially said

Time capsule’ app Timehop has revealed that it made a boo-boo when it initially shared details over the weekend of a data breach involving millions of users’ names, email addresses, and phone numbers.

An updated advisory from the firm reveals that the hackers, who initially struck last December but made off with the organisation’s data on July 4th, also purloined users’ dates of birth, gender, and country codes.

The company has also provided a breakdown of the breached Personally Identifiable Information (PII), noting that the figures should be considered separately of one another and are not additive. The total number of breached records was approximately 21 million, says Timehop.

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

No company relishes the idea of updating a security advisory to detail that the situation is actually worse than initially thought, but Timehop should be applauded for its openness and transparency.

I’m impressed that after realising it had been breached on July 4th Timehop took prompt action, and has been upfront in both its customer advisory and the technical security report it has published.

No one disagrees, however, that this breach should never have happened in the first place.

A hacker first broke into a third-party cloud service used by Timehop in December 2017 using an administrator’s password. That account should have been protected with multi-factor authentication, but wasn’t.

The hacker was then able to create his or her own admin account, meaning even if the original breached account’s password was changed they still had access to Timehop’s cloud services. Those cloud services provide the hacker with anything of value on subsequent visits, until…

In April, 2018, Timehop employees migrated a database with personally identifiable information into the environment. The attacker saw this when they logged in on June 22, 2018. The unauthorized user then logged in again on July 4, 2018, when the database containing PII was stolen.”

So, yes it’s good that Timehop is being transparent in how it communicates its breach, and it no doubt is conscious that its openness may be taken into consideration in any future GDPR fine. Other companies can learn from this.

But other companies can also take the opportunity to learn from the mistakes Timehop made to get themselves into this mess in the first place. If you’re responsible for securing your company, be sure to read Timehop’s technical report on what occurred, and the steps it took in response.

By the way, the Timehop data breach was one of the topics discussed in this week’s edition of the “Smashing Security” podcast, recorded before the company updated its security advisory with the additional information.

Smashing Security #86: ‘Elon Musk submarine scams and 2FA bypass’

Listen on Apple Podcasts | Google Podcasts | RSS for you nerds.

Tags: ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.