Social media aggregation site Timehop has revealed a major breach of customers’ personal information affecting 21 million users.
The firm claimed in a post over the weekend that it discovered a network intrusion on July 4, leading to the compromise of names, email addresses and phone numbers.
The firm offers an unusual service in resurfacing old social media posts from years gone by. However, although the hackers stole the “access tokens” provided to Timehop by its social media partners, it claimed these were quickly deauthorized and that there’s no evidence of unauthorized access of user data through these tokens.
“No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected,” the firm added. “To reiterate: none of your ‘memories’ — the social media posts & photos that Timehop stores — were accessed.”
In a separate blog post, the firm explained more on how the attack happened, specifically tracing it back to a compromised cloud platform credential.
“On December 19, 2017 an authorized administrative user's credentials were used by an unauthorized user to log into our Cloud Computing Provider. This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment. For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorized user logged in again and continued to conduct reconnaissance,” the firm revealed.
“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data. At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 pm, Timehop engineers had begun to implement security measures to restore services and lock down the environment.”
The firm responded swiftly by taking various steps such as: conducting a user audit and permissions inventory, changing all passwords and keys and adding MFA to all accounts, revoking inappropriate permissions and increasing monitoring.
"It’s ironic that a service which brings back memories from the past was also breached by an attack vector which is one of the oldest: taking over an administrator account,” argued Imperva director of threat research, Ben Herzberg. “My hopes are that with the new privacy regulations, such as GDPR, companies will take better care of PII and such incidents will become less common."