Timehop deactivates 21 million user accounts after hackers steal access keys, other data

News by Teri Robinson

Timehop has deauthorised all 21 million of its user accounts after hackers intruders infiltrated its cloud infrastructure on 19 December, 2017, through a poorly protected admin account pilfered information.

Timehop has deauthorised all 21 million of its user accounts after hackers intruders infiltrated its cloud infrastructure on 19 December, 2017, through a poorly protected admin account pilfered information, including access keys that could be used to gain entry to the victims' social media accounts where the app is used to recall posts from the same date in previous years. 

"To reiterate: none of your 'memories' - the social media posts & photos that Timehop stores - were accessed," Timehop said in a statement about the hack, which went detected until 4 July when the hackers began to extract information. "If you have noticed any content not loading, it is because Timehop deactivated these proactively," the company said, noting there was "no evidence that any accounts were accessed without authorisation."

Users were logged out of their accounts until the company could reset all keys, Timehop said.

In addition to access keys, the hackers nicked email addresses, usernames (many of them are not real names) and telephone numbers, although only about 4.7 million users had phone numbers attached to their Timehop accounts. 

"The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service," the company said, stressing that it didn't store credit card, financial data and location data, or IP addresses. Nor does it store copies of social media profiles and user information is separated from social media content. The company explained that it deletes its copies of users' "Memories" after users have seen them.

Timehop's response reflects a growing trend by organizations to promptly notify customers. "We're seeing an increase in breach notification, as organisations do their utmost to adhere to the 72-hour imposed timescales," said Dan Pitman, senior solutions architect at Alert Logic. "Although Timehop was guilty of a ‘schoolboy' error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly."

Timehop is a smartphone app that collects old photos and posts from Facebook, Instagram, Twitter, and Dropbox photos for distribution among friends.

Ben Herzberg, director of threat research at Imperva said: "It’s ironic that a service which brings back memories from the past was also breached by an attack vector which is one of the oldest: taking over an administrator account. There are many solutions to this problem (Like restricting access to the interface to certain IP addresses and 2 factor authentication), yet they’re not the first (nor the last) company to be breached due to this.

"My hopes are that with the new privacy regulations, such as GDPR, companies will take better care of PII (Personal Identifiable Information), and such incidents will be less common."

Andrew Bushby, UK director at Fidelis Cybersecurity, offers the following comment: "Hackers have long managed to conduct successful breaches by conducting uninterrupted reconnaissance of internal IT networks – and Timehop is a prime example of how these tactics still work. As part of the process, attackers will find credentials that gives them access to valuable information – in this instance, user data. While Timehop was quick to communicate the breach and comply with EU GDPR, the incident highlights the need for all organisations to have complete visibility into what is happening to their IT systems and proactively hunt for unknown threats. 

"One of the most successful ways to catch out hackers performing reconnaissance is to lure them in using deception techniques in the form of decoys. Storing fake user credentials and permissions is a tempting target for an attacker who is trying to find an account that they can, for example, reset a user’s password. Drawing the attention of cybercriminals towards decoys, traps, and lures that have been placed across the network allows for alerts to be triggered quicker – lowering the risk of actual data being accessed and giving security teams the chance to react immediately. Put simply, Timehop can prevent similar reconnaissance attacks from happening in the future by introducing deception technology as part of a post-breach defence strategy."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews