Published: Mon, July 09, 2018
Economy | By

Timehop breached due to lack of 2FA, 21 million users hit

Timehop breached due to lack of 2FA, 21 million users hit

On the upside, users' financial information, social media posts/photos, direct messages, and Timehop streaks remain secure and unaffected.

The Timehop app has to be authorised by you, and furnished with cryptographic keys (known in the jargon as access tokens), to get into the various online services from which you want it to scrape photos and posts.

Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done. We have deactivated these keys so they can no longer be used by anyone - so you'll have to re-authenticate to our App. Only 22% of its 21 million userbase -roughly 4.7 million users- had a phone number attached to their account.

Timehop admitted that the attack occurred due to lack of a multi-factor authentication that led to the compromise of an access credential to its cloud computing environment.

"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken", a spokesperson wrote in a blog post. We did this in an abundance of caution, to reset all the keys.


"[It] is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts. we have no evidence that this actually happened", the company said.

Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. In other cases, the provider can limit limit the number's portability. Turn those notifications on to stay informed about credit card activity linked to your account. According to the release, the attack was detected and interrupted in less than 3 hours of its start.

According to its preliminary investigation of the incident, the attacker first accessed Timehop's cloud environment in December - using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a U.S. holiday. Timehop system administrators have added the necessary protections for the accounts that didn't have them and are confident such an attack can't be repeated.

It can't be as almost-comforting on the matter of purloined phone numbers, advising that for those who shared such data with the company "It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported". "We have no evidence that any accounts were accessed without authorization".

"These tokens could allow a malicious actor to view without permission some of your social media posts", the company said. At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate.

Like this: