Timehop: Lack of Multifactor Login Controls Led to BreachBreach Underlines Need for Strong Authentication in Cloud Services
Timehop, an application that revives older social media posts, says 21 million users are affected by a breach that exposed names, email addresses, access tokens and for some users, phone numbers.
See Also: The Global State of Online Digital Trust
Of the 21 million users, 22 percent, or 4.7 million, had their phone number exposed, Timehop says. The breach, which occurred July 4, was contained after about two and a half hours, Timehop says in an advisory.
The attacker compromised a cloud services account belonging to Timehop, which did not have multifactor authentication enabled.
"We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts," it says.
Access Tokens Revoked
Once users grant permission, Timehop's application can mine social media accounts such as Facebook, Twitter, Instagram, Google and Dropbox, sharing old posts and photos for fun. Timehop gets an access token that allows it to maintain persistent access.
After discovering the breach, Timehop invalidated those tokens. It says there was a short window of time, however, when the attacker could have used the tokens, although there is no evidence that occurred.
"We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts."
"While we were confident that the access keys to those services had not been used, we felt that potential exposure of that content urgently justified a service interruption to ensure that attackers could not, for example, view personal photos," it says. "Through conversations with the information security, engineering and communications staff at these providers, we were able to deactivate the keys and confirm that no photos had been compromised."
The token that Timehop obtains doesn't allow it to view private messages, such as on Facebook Messenger or direct messages on Twitter or Instagram. But the token does allow the viewing posts on a person's profile, the company says.
Seeds Of Attack
Although the attack occurred on July 4, the roots of it started in December, Timehop says.
Someone obtained valid user credentials for an administrator account and then used those credentials to log into Timehop's cloud services provider. The unauthorized user created a new administrator account and then began doing reconnaissance, Timehop says in a technical write-up.
"For the next two days, and on one day in March 2018 and one day in June 2018, the unauthorized user logged in again and continued to conduct reconnaissance," the company says.
Then on July 4, Timehop received an alert of an attack on a production database that involved transferring data.
Once Timehop understood the scope, it began a series of defensive steps. That included creating an inventory of user permissions, changing all passwords and keys and turning on multifactor authentication for all cloud-based accounts, including on the service that was compromised.
Timehop says it has also revoked inappropriate permissions, increased its alarming and monitoring and reviewed authentication and access management. It has also "introduced more pervasive encryption throughout our environment."
Because Timehop has invalidated the access tokens, users will have to login and then link the social media services to Timehop again.
"This will generate a new, secure token," Timehop says. "Because your data's integrity is our first priority, we have deauthorized tokens as quickly as possible. As we mentioned, if you have noticed any content not loading, it is because we deactivated these tokens proactively."
The company says it has notified U.S. federal law enforcement and hired incident response and threat intelligence contractors and a crisis communication company.
It has also notified European regulators. The European Union's General Data Protection Regulation, one of the strictest in the world, came into effect on May 25. Organizations are required to report breaches to regulators and users within 72 hours.