show image

Timehop breach: hackers steal 4m phone numbers and 21m email addresses

Cyber criminals have stolen the personal data of 21 million users of the social media service Timehop, it emerged last night.

The US startup, which lets social media users revisit posts from the same day in previous years, confirmed in a statement that a network intrusion led to a breach of names and email addresses. Around 4.7 million phone numbers were also taken.

The company downplayed the likelihood that social media posts were accessed, saying there had been “no confirmed reports” they had been compromised. But it added that access tokens provided to Timehop by social media companies were stolen during the breach.

“These tokens could allow a malicious actor to view without permission some of your social media posts,” the company said. “It is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts. We have no evidence this actually happened.”

How did the breach unfold?

The initial breach occurred shortly before Christmas last year, when an admin user’s credentials were used to log into the company’s cloud computing environment. The hacker created a new admin account and began investigating the platform. But it wasn’t until last week that the attacker started exfiltrating user data and Timehop became aware of the breach.

Timehop claims its engineers responded to the attack in less than two hours, putting in place measures to lock down its cloud environment. In addition to deactivating the keys that let it read social media posts, the company added multi-factor authentication to its cloud accounts.

“It’s ironic that a service which brings back memories from the past was also breached by an attack vector which is one of the oldest: taking over an administrator account,” said Imperva’s threat research director Ben Herzberg. “There are many solutions to this problem (Like restricting access to the interface to certain IP addresses and 2 factor authentication), yet they’re not the first (nor the last) company to be breached due to this.”

Timehop said it had reported the breach to regulatory authorities. An ICO spokesperson said: “All organisations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us.”