Updated: Timehop exposes personal information of its entire user base

Celebrating Independence Day with a data breach

Timehop, the ‘time capsule' app that resurfaces old social media posts, has announced that it was breached on the 4th of July. The names and email addresses of 21 million users - basically the app's entire base - were lifted, along with about 4.7 million phone numbers.

New information revealed by the company on the 12th July reveals that other personal information was also stolen, including the date of birth on 15 million accounts and gender on another 9 million.

The hacker got into a cloud computing account that wasn't protected by multifactor authentication (MFA). As well as transferring data, the attacker targeted Timehop's production database.

The company found and stopped the breach after two hours and 19 minutes, but not before the hacker stole a large amount of data.

Timehop's preliminary investigation found that the hacker first accessed its cloud account in December, using a legitimate administrator's credentials. They used this to set up a new admin account and began to scout the environment. They continued to do this on separate occasions in December, March and June, before launching the attack last week.

The company originally stressed that no other information, like financial data, direct messages or the content of any social media posts was stolen. However, its subsequent exploration of the hack found that dates of birth, gender and country were exposed.

The company said, 'As we examined the more comprehensive audit on Monday of the actual database tables that were stolen, it became clear that there was more information in the tables than we had originally disclosed.

'We are deeply sorry for this secondary disclosure.'

Timehop also revealed more information about the hack. It said the attacker was able to gain access to the personal data after the compromised administrator migrated a user table into the database under surveillance. Later, the attacker was able to restore a snapshot containing the data into a new cluster.

As well as the personal information, Timehop said that the keys that it uses to access social media posts were compromised, so it has deactivated all of them; users will need to re-authenticate the app for each site.

There is a chance that users' social media posts could have been viewed in ‘a short time window', but the company says that there is ‘no evidence' that that happened.

In response, Timehop has promised to add MFA to all accounts that did not already have it for all cloud-based services, as well as increase alarming and monitoring. Its blog post doesn't say why the vulnerable account(s) wasn't already using what should be a very basic security technique.

Timehop told TechCrunch that the account, which was set up when the company was very young, may have just been missed and that it does use MFA generally.

Taking a ‘locking the stable door after the horse has bolted' approach, the company says it began ‘a program of security upgrades' as soon as the incident was spotted.

Company executives contacted law enforcement officials soon after the breach, presumably to report it - as required by the GDPR. Timehop has users worldwide, including Europe, so like any data controller is required to disclose breaches within 72 hours of discovery.

‘Although the GDPR regulations are vague on a breach of this type (a breach must be "likely to result in a risk to the rights and freedoms of the individuals"), we are being proactive and notifying all EU users and have done so as quickly as possible', the company says in its blog. ‘We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.'

Although there may not be a risk to rights and freedoms, personal data has doubtless been lost and so we expect the EU to level a fine at Timehop. The company does not disclose financial information, however, so the possible amount is unclear.

James Lerud, head of the behavioural research team at Verodin, praised the company for its transparency and swift reaction, but added:

"On the negative side, the first unauthorised login took place over seven months ago; this could indicate that the password had not been changed in over six months. [Timehop] also did not have two-factor authentication enabled for all of their accounts, something they have since fixed.

"All in all, this incident should serve as a reminder that there is always room to improve security. Mature security shops need to practice how they play; knowing where your security stands through repeatable exercises with empiric results can help expose where controls are lacking."

This story was updated on 12/7/18 to reflect Timehop's new information disclosure