Timehop, an app that resurfaces old posts from users’ social media profiles, has disclosed a breach in which users’ basic contact information was exposed, as well as “access tokens” that the app uses to gather information from users’ social media accounts.
The names and email addresses of 21 million users were exposed, the company says. Of those users, about 4.7 million had their phone numbers also exposed.
Timehop says it has deauthorized the access tokens, which are provided by its social media partners so the app can access that content. The company also forced all accounts to log out. When users try to log in again, they will also have to reauthenticate each social media site they want to use with Timehop in order to generate new, secure tokens.
In a blog post Sunday disclosing the incident, Timehop stresses that the tokens do not give anyone access to private messages on Twitter, Instagram or Facebook, nor to friends’ posts on users’ Facebook walls.
“However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened,” the company says.
Timehop said that it observed the breach as it was occurring on July 4 and that it locked out the attackers two hours and 19 minutes later. The blog post disclosing the incident went up on Sunday, July 8 and users are being notified as they log into the app.
“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service,” the company writes. “Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your ‘Memories’ after you’ve seen them.”
‘Fallen through the cracks’
In a technical report, the company says that the initial compromise happened on Dec. 19, 2017, when an attacker accessed Timehop’s cloud computer environment using an administrative user’s credentials. The employee’s account did not have multi-factor authentication in place, Timehop said.
“[W]e don’t know how they got that employee’s credentials. It was our mistake not to have [two-factor authentication] on that account,” Rick Webb, Timehop’s chief operating officer, told CyberScoop by email. “We do generally use [two-factor authentication], but the employee has been around a long time and built a significant amount of the systems. It seems to have just fallen through the cracks.”
The attacker then created a new administrative account and conducted “reconnaissance activities,” according to the writeup, for two days in December, one day in March and one day in June.
The final incident in July involved an attack on Timehop’s production database and a transfer of data. Part of that operation set of an alarm for Timehop, prompting its engineers to jump in and secure the environment, the company writes.
“It’s an enormous task for these sites to get their own house in order,” said Fred Kneip, CEO of security firm CyberGRX. “This breach demonstrates that, even if internal policies and procedures are squared away, social media platforms still have to ensure that partners like Timehop have the proper security controls in place to safeguard users’ data.”
Timehop says it has conducted an initial security audit, changed all its own passwords and keys, added multi-factor authentication to all its cloud accounts and revoked all inappropriate permissions. The company has also brought on a “cyber threat intelligence and dark web research firm” to further investigate the attack.