‘Time capsule’ app Timehop has revealed that it made a boo-boo when it initially shared details over the weekend of a data breach involving millions of users’ names, email addresses, and phone numbers.
An updated advisory from the firm reveals that the hackers, who initially struck last December but made off with the organisation’s data on July 4th, also purloined users’ dates of birth, gender, and country codes.
The company has also provided a breakdown of the breached Personally Identifiable Information (PII), noting that the figures should be considered separately of one another and are not additive. The total number of breached records was approximately 21 million, says Timehop.
|Type of Personal Data Combination||# of Breached Records||# of Breached GDPR Records|
|Name, email, phone, DOB||3.3 million||174,000|
|Name, email address, phone||3.4 million||181,000|
|Name, email address, DOB||13.6 million||2.2 million|
|Name, phone number, DOB||3.6 million||189,000|
|Name and email address||18.6 million||2.9 million|
|Name and phone number||3.7 million||198,000|
|Name and DOB||14.8 million||2.5 million|
|Name total||20.4 million||3.8 million|
|DOB total||15.5 million||2.6 million|
|Email addresses total||18.6 million||2.9 million|
|Gender designation total||9.2 million||2.6 million|
|Phone numbers total||4.9 million||243,000|
No company relishes the idea of updating a security advisory to detail that the situation is actually worse than initially thought, but Timehop should be applauded for its openness and transparency.
I’m impressed that after realising it had been breached on July 4th Timehop took prompt action, and has been upfront in both its customer advisory and the technical security report it has published.
No one disagrees, however, that this breach should never have happened in the first place.
A hacker first broke into a third-party cloud service used by Timehop in December 2017 using an administrator’s password. That account should have been protected with multi-factor authentication, but wasn’t.
The hacker was then able to create his or her own admin account, meaning even if the original breached account’s password was changed they still had access to Timehop’s cloud services. Those cloud services provide the hacker with anything of value on subsequent visits, until…
“In April, 2018, Timehop employees migrated a database with personally identifiable information into the environment. The attacker saw this when they logged in on June 22, 2018. The unauthorized user then logged in again on July 4, 2018, when the database containing PII was stolen.”
So, yes it’s good that Timehop is being transparent in how it communicates its breach, and it no doubt is conscious that its openness may be taken into consideration in any future GDPR fine. Other companies can learn from this.
But other companies can also take the opportunity to learn from the mistakes Timehop made to get themselves into this mess in the first place. If you’re responsible for securing your company, be sure to read Timehop’s technical report on what occurred, and the steps it took in response.
By the way, the Timehop data breach was one of the topics discussed in this week’s edition of the “Smashing Security” podcast, recorded before the company updated its security advisory with the additional information.
Smashing Security #086: 'Elon Musk submarine scams and 2FA bypass'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.