Timehop data breach is worse than they initially said

Dates of birth and gender were also stolen by hackers.

Timehop data breach is worse than they initially said

‘Time capsule’ app Timehop has revealed that it made a boo-boo when it initially shared details over the weekend of a data breach involving millions of users’ names, email addresses, and phone numbers.

An updated advisory from the firm reveals that the hackers, who initially struck last December but made off with the organisation’s data on July 4th, also purloined users’ dates of birth, gender, and country codes.

The company has also provided a breakdown of the breached Personally Identifiable Information (PII), noting that the figures should be considered separately of one another and are not additive. The total number of breached records was approximately 21 million, says Timehop.

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

No company relishes the idea of updating a security advisory to detail that the situation is actually worse than initially thought, but Timehop should be applauded for its openness and transparency.

I’m impressed that after realising it had been breached on July 4th Timehop took prompt action, and has been upfront in both its customer advisory and the technical security report it has published.

No one disagrees, however, that this breach should never have happened in the first place.

Sign up to our free newsletter.
Security news, advice, and tips.

A hacker first broke into a third-party cloud service used by Timehop in December 2017 using an administrator’s password. That account should have been protected with multi-factor authentication, but wasn’t.

The hacker was then able to create his or her own admin account, meaning even if the original breached account’s password was changed they still had access to Timehop’s cloud services. Those cloud services provide the hacker with anything of value on subsequent visits, until…

“In April, 2018, Timehop employees migrated a database with personally identifiable information into the environment. The attacker saw this when they logged in on June 22, 2018. The unauthorized user then logged in again on July 4, 2018, when the database containing PII was stolen.”

So, yes it’s good that Timehop is being transparent in how it communicates its breach, and it no doubt is conscious that its openness may be taken into consideration in any future GDPR fine. Other companies can learn from this.

But other companies can also take the opportunity to learn from the mistakes Timehop made to get themselves into this mess in the first place. If you’re responsible for securing your company, be sure to read Timehop’s technical report on what occurred, and the steps it took in response.

By the way, the Timehop data breach was one of the topics discussed in this week’s edition of the “Smashing Security” podcast, recorded before the company updated its security advisory with the additional information.

Smashing Security #086: 'Elon Musk submarine scams and 2FA bypass'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.