‘Time capsule’ app Timehop has revealed that it made a boo-boo when it initially shared details over the weekend of a data breach involving millions of users’ names, email addresses, and phone numbers.
An updated advisory from the firm reveals that the hackers, who initially struck last December but made off with the organisation’s data on July 4th, also purloined users’ dates of birth, gender, and country codes.
The company has also provided a breakdown of the breached Personally Identifiable Information (PII), noting that the figures should be considered separately of one another and are not additive. The total number of breached records was approximately 21 million, says Timehop.
| Type of Personal Data Combination | # of Breached Records | # of Breached GDPR Records |
|---|---|---|
| Name, email, phone, DOB | 3.3 million | 174,000 |
| Name, email address, phone | 3.4 million | 181,000 |
| Name, email address, DOB | 13.6 million | 2.2 million |
| Name, phone number, DOB | 3.6 million | 189,000 |
| Name and email address | 18.6 million | 2.9 million |
| Name and phone number | 3.7 million | 198,000 |
| Name and DOB | 14.8 million | 2.5 million |
| Name total | 20.4 million | 3.8 million |
| DOB total | 15.5 million | 2.6 million |
| Email addresses total | 18.6 million | 2.9 million |
| Gender designation total | 9.2 million | 2.6 million |
| Phone numbers total | 4.9 million | 243,000 |
No company relishes the idea of updating a security advisory to detail that the situation is actually worse than initially thought, but Timehop should be applauded for its openness and transparency.
I’m impressed that after realising it had been breached on July 4th Timehop took prompt action, and has been upfront in both its customer advisory and the technical security report it has published.
No one disagrees, however, that this breach should never have happened in the first place.
A hacker first broke into a third-party cloud service used by Timehop in December 2017 using an administrator’s password. That account should have been protected with multi-factor authentication, but wasn’t.
The hacker was then able to create his or her own admin account, meaning even if the original breached account’s password was changed they still had access to Timehop’s cloud services. Those cloud services provide the hacker with anything of value on subsequent visits, until…
“In April, 2018, Timehop employees migrated a database with personally identifiable information into the environment. The attacker saw this when they logged in on June 22, 2018. The unauthorized user then logged in again on July 4, 2018, when the database containing PII was stolen.”
So, yes it’s good that Timehop is being transparent in how it communicates its breach, and it no doubt is conscious that its openness may be taken into consideration in any future GDPR fine. Other companies can learn from this.
But other companies can also take the opportunity to learn from the mistakes Timehop made to get themselves into this mess in the first place. If you’re responsible for securing your company, be sure to read Timehop’s technical report on what occurred, and the steps it took in response.
By the way, the Timehop data breach was one of the topics discussed in this week’s edition of the “Smashing Security” podcast, recorded before the company updated its security advisory with the additional information.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Newsflash, newsflash. Smashing Security is extremely unlikely to win anything in the Podcast Awards, unless someone votes for us.
Visit smashingsecurity.com/vote, and vote for Smashing Security in the People's Choice and Technology categories.
Yes, you have to create an account at the Podcast Awards website to vote for us.
Yes, that's a pain, but it's nothing compared to the pain I could do to your eardrums if I decided to sing la la lee diddle lee da da da.
So, smashingsecurity.com/vote if you know what's good for you.
Visit smashingsecurity.com/vote, and vote for Smashing Security in the People's Choice and Technology categories.
Yes, you have to create an account at the Podcast Awards website to vote for us.
Yes, that's a pain, but it's nothing compared to the pain I could do to your eardrums if I decided to sing la la lee diddle lee da da da.
So, smashingsecurity.com/vote if you know what's good for you.
Barbecue or dealing with family or, you know, on a march somewhere. You're not throwing your fingers off or what?
Are blowing your fingers off. This is American pastime.
For real? Fireworks.
Fireworks. They don't actually go out with the intention of blowing their fingers off.
It just sort of happens.
I was just thinking in my head going, I don't know what he's talking about. With guns?
Is it guns?
I'm a bit bored. Smashing Security, Episode 86: Elon Musk Submarine Scams and Two-Factor Bypass with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security. Security number 86. My name is Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security. Security number 86. My name is Graham Cluley.
And I'm Carole Theriault.
And we're joined today by a returning friend of the show and author of Social Media Is Bullshit. It's BJ Mendelson. Hi, BJ.
Hello. Thank you so much for having me back. Hi.
I'm glad that you're a returning friend. Did Graham clear that with you, that you're actually a friend of the show?
It's the first I've heard of it, but I am always pleased to be called a friend of anything.
Now BJ, you're not just an author, you know, slagging off social media. The other part of your life is you're into comic books and things like that, isn't it?
That's right. Just for example, this weekend I'm going to be speaking at the Florida Super Con about how to promote comic books.
And what kind of thing goes on at the Florida Super Con?
Oh, so there is a thing called Fantasy Super Cosplay Wrestling.
Oh yeah, because you love wrestling.
I do. I love pro wrestling. I love superheroes.
So this is the perfect mashup. You've got superhero cosplay and wrestling.
That's right. All in one ring.
What's hilarious though is I only agreed to do the conference because they were doing the fantasy super cosplay wrestling, but I said in the notes, please don't book me when the wrestling is going on because I want to see it.
I was really explicit about it. So on Saturday night, as they're doing their big event, I have my panel.
What's hilarious though is I only agreed to do the conference because they were doing the fantasy super cosplay wrestling, but I said in the notes, please don't book me when the wrestling is going on because I want to see it.
I was really explicit about it. So on Saturday night, as they're doing their big event, I have my panel.
Oh wow.
Can you dress like Big Daddy in homage?
I feel like I should.
I definitely think you should.
The thing is, wrestlers do dress a bit like superheroes anyway, don't they? Because they often wear their underpants over their tights. That's right.
It's a live-action comic book.
I love it.
Are you in the cosplay right now?
Are you?
What do you?
Oh, no, I just rolled out of bed.
He doesn't sleep in it.
You never know. There might be an emergency.
Well, though, if you're like Daniel Day-Lewis and you're really into method acting, you probably would sleep in the cosplay.
Did you ever hear the story where he was on the set of Lincoln and he only would be referred to as Mr. President?
And when Sally Field had to talk to him, she would have to text him as Lincoln's wife. And that was the only way he would respond to her.
Did you ever hear the story where he was on the set of Lincoln and he only would be referred to as Mr. President?
And when Sally Field had to talk to him, she would have to text him as Lincoln's wife. And that was the only way he would respond to her.
Did she ever talk dirty? Just to say, I'm just method acting.
I kind of wonder what 19th century dirty talk would sound like through text.
Sally Field wouldn't text dirty. She's lovely.
I found the lovelier the people, the dirtier the text.
Hey Graham. Hey Carole.
So you run your own business, right?
I do, yes.
I run my own business.
Yes.
And how many different applications and services and software pieces do you need to buy or rent in order to run a business like ours in the technology space?
Scores, if not hundreds.
It would be physically impossible, would it not, to remember unique passwords for every single one of those apps?
That, let alone your personal life and all the stuff you have there, all the chess and Doctor Who stuff you have.
That, let alone your personal life and all the stuff you have there, all the chess and Doctor Who stuff you have.
Not completely impossible, because if your password was DoctorWho1 or Chess2, if you made— so you could have unique passwords.
They wouldn't be very good passwords though, would they?
They wouldn't be very good passwords though, would they?
Yeah, so you're recommending that people have crappy passwords? No. Or should they use a password manager like LastPass?
They should use a password manager like LastPass. I think all businesses have got to really, because otherwise your employees are going to choose sloppy, rubbish passwords.
And you're going to get lazy yourself and use the same password for different accounts.
Horrendous. So you want central control of everyone inside your business and how they're using passwords and properly manage it.
Check out lastpass.com/smashing.
I don't think you need to say forward slash. Anyone who's listening to this knows which way the slash goes.
You're probably right.
Okay, chaps. Well, the world has been gripped with the story of that soccer team, those poor boys in Thailand stuck deep within a flooding cave system.
The international effort to rescue them.
Thankfully, just before we started recording today's episode, word came through that all 12 boys and their coach had been rescued from the flooded cave. 17 days.
The international effort to rescue them.
Thankfully, just before we started recording today's episode, word came through that all 12 boys and their coach had been rescued from the flooded cave. 17 days.
Wow.
17 days.
They got trapped underground. Amazing, isn't it?
I've—
It's really affected me, this. I've been really upset about it.
I was upset when they were first lost, then I was upset when they were found, and I thought, oh my goodness, how are they going to get them out?
I was upset when they were first lost, then I was upset when they were found, and I thought, oh my goodness, how are they going to get them out?
And they were really young, the kids, right?
Yeah.
Very young.
I have a question though.
Yeah.
Does anyone know how they got into the cave in the first place?
Well, I believe that they just sort of walked in. It was some sort of initiation ceremony that they go up to some wall and scratch a mark or something.
And then the rain came down and so they went deeper into the cave. They found that their way out was trapped and so they just kept on going deeper and deeper in.
And then the rain came down and so they went deeper into the cave. They found that their way out was trapped and so they just kept on going deeper and deeper in.
Yeah, the area was flooding, I think, so they weren't able to escape the cave because of all the water that had locked them in there from the storm.
Absolutely horrific. And tragically, one diver on the rescue team who was delivering supplies of air, he died of asphyxia.
It's incredible though. They were bringing them air and food and warmth. It's just an incredible human endeavor.
Horrendously perilous situation the kids found themselves in. And while we were all holding our breath, there were numerous ideas on how to rescue them.
I mean, for instance, some people said, well, let's drill a hole from the top and get down to them.
Let's teach them how to dive underwater in a cave with no visibility, or let's leave them there for 4 months while they wait for the end of the rainy season.
And one person who was approached for an idea was Elon Musk. He's got over 22 million people following him on Twitter, and someone said to him, have you got any ideas?
You know, you're Elon Musk, right? You're the founder of SpaceX and Tesla, and you're basically Iron Man.
And Elon Musk came up with a couple of ideas, and one of them was this tiny sort of submarine— well, it wasn't really a submarine, it was this skinny airtight capsule that they thought maybe other divers could guide through narrow space and just big enough for a kid to squeeze inside.
And he posted up videos and they tested it in swimming pools and they raced it out to Thailand and it turned out it wasn't needed, but he left it there just in case, thinking it might be useful in future.
Maybe just didn't want to lug it back to the airport. I don't know.
But anyway, he left it there and there was a message posted in on this thread on Twitter from Elon Musk saying, even if it's not going to be used, it won't harm to have it on hand for any emergencies.
Also remembered my promise from yesterday. And I was reading this Twitter thread and I thought, I wonder what Elon Musk's promise was the day before.
I mean, for instance, some people said, well, let's drill a hole from the top and get down to them.
Let's teach them how to dive underwater in a cave with no visibility, or let's leave them there for 4 months while they wait for the end of the rainy season.
And one person who was approached for an idea was Elon Musk. He's got over 22 million people following him on Twitter, and someone said to him, have you got any ideas?
You know, you're Elon Musk, right? You're the founder of SpaceX and Tesla, and you're basically Iron Man.
And Elon Musk came up with a couple of ideas, and one of them was this tiny sort of submarine— well, it wasn't really a submarine, it was this skinny airtight capsule that they thought maybe other divers could guide through narrow space and just big enough for a kid to squeeze inside.
And he posted up videos and they tested it in swimming pools and they raced it out to Thailand and it turned out it wasn't needed, but he left it there just in case, thinking it might be useful in future.
Maybe just didn't want to lug it back to the airport. I don't know.
But anyway, he left it there and there was a message posted in on this thread on Twitter from Elon Musk saying, even if it's not going to be used, it won't harm to have it on hand for any emergencies.
Also remembered my promise from yesterday. And I was reading this Twitter thread and I thought, I wonder what Elon Musk's promise was the day before.
Okay.
So I carried on following the thread and Elon Musk basically puts up a link to a webpage where he says Tesla is offering to give away 5,000 bitcoins, which is equivalent to about $32 million.
Yeah. All you have to do, said the webpage, is send either 0.1 to 5 bitcoins and you will get 1 to 50 bitcoins back.
So you're basically what, you're multiplying your investment by 10. Send us some bitcoins, we'll send you much more back. And this is Elon Musk telling people they can do this.
Yeah. All you have to do, said the webpage, is send either 0.1 to 5 bitcoins and you will get 1 to 50 bitcoins back.
So you're basically what, you're multiplying your investment by 10. Send us some bitcoins, we'll send you much more back. And this is Elon Musk telling people they can do this.
Is it Elon Musk?
Well, it's certainly the name Elon Musk, but if you look, and it has Elon Musk's picture, and it's in a conversation which was started by Elon Musk, and the first message about, "Even if it's not going to be used, it won't harm to have it on hand," that does appear to be in the nature of this discussion.
Of course, it's not really Elon Musk's Twitter account. It's Elobecusk, you know, slight variant of Elon's name.
Of course, it's not really Elon Musk's Twitter account. It's Elobecusk, you know, slight variant of Elon's name.
His dollar store equivalent.
I don't think many people would confuse that name with Elon Musk, looking at it quickly. Well, Elobecrusk.
No, but I don't think you wouldn't necessarily see the user ID. Quite often with Twitter applications, you only see people's given name and their avatar. You don't always see the ID.
The only clue that this is not the real Elon Musk is that there is no blue verified tick.
So if you were following this conversation and there were further messages as well saying, take a quick look and the submarine will be useful even if not immediately, you get taken to this webpage, which appears to be from Tesla.
The only clue that this is not the real Elon Musk is that there is no blue verified tick.
So if you were following this conversation and there were further messages as well saying, take a quick look and the submarine will be useful even if not immediately, you get taken to this webpage, which appears to be from Tesla.
Now, where do they put this verified tick?
You can see it on mine. It's just after BJ Mendelson is the blue check. There you go.
BJ's got the blue tick. I've got the blue tick. Carole, have you got a blue tick?
I bet I don't. What, do you have to apply for one?
You do have to apply unless you're a real celebrity. Then you don't.
Oh yeah, Donald Trump just got it.
Just probably just got it right.
So what crypto scammers are doing is they are leaping onto conversations initiated by people with high followings, pretending to be those people, and their messages are getting hundreds and sometimes thousands of likes.
They're getting replies, and people think that they're speaking to the real high-profile person, and sometimes they're being duped into clicking on these links, and sometimes they are undoubtedly giving money because they think, well, it does sound too crazy to be true, but this is Elon Musk.
He's got bags of money. Maybe he would do something like this.
So what crypto scammers are doing is they are leaping onto conversations initiated by people with high followings, pretending to be those people, and their messages are getting hundreds and sometimes thousands of likes.
They're getting replies, and people think that they're speaking to the real high-profile person, and sometimes they're being duped into clicking on these links, and sometimes they are undoubtedly giving money because they think, well, it does sound too crazy to be true, but this is Elon Musk.
He's got bags of money. Maybe he would do something like this.
Do you not think people would check how many followers someone has if they were just going into this?
No, no, no. I don't think people would bother at all.
If you're following a thread and it appears this guy is talking about what the initial person spoke about and his account ID avatar and his name is the same, I think you just assume it's something else.
If you're following a thread and it appears this guy is talking about what the initial person spoke about and his account ID avatar and his name is the same, I think you just assume it's something else.
So you're thinking most people would fall for this is what you think.
I'm not saying most people would necessarily give the money, right? I'm not saying that, but I think a percentage of people probably would.
Okay. That's what a political answer.
Well, he has 22 million followers.
Yeah. But what percentage? Just say.
I don't know what percentage, Carole.
Well, so just from the research I've done, even if you have a really large Twitter account, at most you could get like a 0.1%.
That's the best that you can really hope for, even if you have a large amount of followers. We're not talking a significant chunk of them that would click through on it.
That's the best that you can really hope for, even if you have a large amount of followers. We're not talking a significant chunk of them that would click through on it.
Yeah, I mean, this particular tweet, the offending one pointing to the dodgy page, it had 152 likes, it had retweets, it had other people commenting on it as well.
And it wasn't even the only one in the thread. There was another one just a few pages down I saw from a different fake Elon Musk.
Saying, again, give us some of your bitcoins and we will give you a free Tesla car just by handing over some bitcoin or Ethereum.
So crypto scammers are taking advantage of celebrities. Elon Musk is not the only one. We've also seen journalists. We've also seen some of the bitcoin exchanges as well.
In some cases, they've actually had their legitimate verified accounts hacked.
And it wasn't even the only one in the thread. There was another one just a few pages down I saw from a different fake Elon Musk.
Saying, again, give us some of your bitcoins and we will give you a free Tesla car just by handing over some bitcoin or Ethereum.
So crypto scammers are taking advantage of celebrities. Elon Musk is not the only one. We've also seen journalists. We've also seen some of the bitcoin exchanges as well.
In some cases, they've actually had their legitimate verified accounts hacked.
Exactly.
These posts made.
I was just going to say Elon Musk's account has not been hacked in this case. This is just someone purporting to be him with a secondary account.
And in other cases, Twitter itself has been tricked into giving scammers verified accounts because they've used fake IDs, which they've uploaded to try and trick Twitter into believing they're someone they haven't.
So this appears to be a real problem, and Twitter isn't handling it terribly well.
Although it is shutting down lots of bogus accounts, it's so easy to create brand new ones, and it seems these devious tricks, which aren't really that sophisticated, are enough to fool people into believing that they are reading a genuine message from a tech guru, a journalist, or a celebrity.
So this appears to be a real problem, and Twitter isn't handling it terribly well.
Although it is shutting down lots of bogus accounts, it's so easy to create brand new ones, and it seems these devious tricks, which aren't really that sophisticated, are enough to fool people into believing that they are reading a genuine message from a tech guru, a journalist, or a celebrity.
Did I read this week that they're closing something like 1 million accounts per day on average?
Yes. Yeah, I think a lot of the accounts they're closing down may actually be at the point in which the accounts are actually created, as it were.
So they're stopping them quite early.
So they're stopping them quite early.
Oh, right, right. So they're newly created and they're going, this doesn't look legit.
Got you. This is obviously dodgy and that may be picking them up in a very short period of time. But there is a huge problem.
And I have seen people who've actually responded to some of these fake bitcoin scammers who are posting these messages. They reply saying, this is obviously a scammer.
And within a matter of minutes, a brand new account has been created in the name of that user who has been calling them out, posting, of course, another bitcoin scam.
So, you know what was happening though? Some people were saying, oh, he's just jumping on the publicity wagon. You know, he's doing this as a PR stunt.
And that kind of annoyed me a bit. I thought, yeah, obviously Elon Musk is in some ways an utterly odious person just from what I've read.
You know, I just think, oh, he just sounds vile in every way.
And I have seen people who've actually responded to some of these fake bitcoin scammers who are posting these messages. They reply saying, this is obviously a scammer.
And within a matter of minutes, a brand new account has been created in the name of that user who has been calling them out, posting, of course, another bitcoin scam.
So, you know what was happening though? Some people were saying, oh, he's just jumping on the publicity wagon. You know, he's doing this as a PR stunt.
And that kind of annoyed me a bit. I thought, yeah, obviously Elon Musk is in some ways an utterly odious person just from what I've read.
You know, I just think, oh, he just sounds vile in every way.
I can add to that.
You guys are just jealous because he's hot, he has money, and he gets stuff done.
He certainly has money. That's true.
He does. He does.
At least he tried to do something. I don't care if this was publicity stunt or not. He did something.
And all those people whinging about, oh, look at him sending his little submarine to Thailand and it wasn't really wanted.
And all those people whinging about, oh, look at him sending his little submarine to Thailand and it wasn't really wanted.
And so what if he's a media darling, right, Graham?
What are you saying?
Nothing.
Kind of the cave thing, you know, that's a story where I've been following it and I was really hung up on how they got in there in the first place.
But you guys have sort of broken that down. Because I'm kind of like, wouldn't you just leave how you came in? And I didn't realize.
But you guys have sort of broken that down. Because I'm kind of like, wouldn't you just leave how you came in? And I didn't realize.
They thought of that. They thought of that, BJ. It's good that you, you should have texted them or something.
You should have just, yeah, right. Exactly. Right.
If only I was there with a, BJ, what's your story for us this week?
Involving YouTube. So the big thing is that they're going to spend $25 million to stop fake news or stop, quote unquote, right?
But when you dig into the actual article of how they're going to stop it, they're not talking about their platform at all.
Instead, what they're talking about is these videos featuring YouTube influencers to promote critical thinking.
But when you dig into the actual article of how they're going to stop it, they're not talking about their platform at all.
Instead, what they're talking about is these videos featuring YouTube influencers to promote critical thinking.
$25 million? For promo videos?
For promo videos and other things.
I wouldn't mind a piece of that pie.
We could make a video.
Yeah, I'm pretty good at the old Logic Pro.
Is anyone at YouTube actually applying some critical thinking? Is this a very good use of their money?
No, so that's the whole thing, right? They have gone through contortions over the past year or so of, you know, we know fake news is a problem.
We've got the Google News initiative and google.org and we got, you know, all these critical thinking videos we're going to make and that's what's going to solve the problem.
But you never hear them stop and go, hey, maybe there's a problem with the algorithm and the way our system works. And that's the thing that we should fix.
They never talk about that. Instead, you've got these weird pseudo Band-Aid things that they trot out.
So they said that they're going to, you know, they're building sustainable video operations and that's what the grants are for, for the $25 million.
But nowhere do they talk about the problems with the platform. And as long as they allow that to continue, we're just going to continue having these issues.
We've got the Google News initiative and google.org and we got, you know, all these critical thinking videos we're going to make and that's what's going to solve the problem.
But you never hear them stop and go, hey, maybe there's a problem with the algorithm and the way our system works. And that's the thing that we should fix.
They never talk about that. Instead, you've got these weird pseudo Band-Aid things that they trot out.
So they said that they're going to, you know, they're building sustainable video operations and that's what the grants are for, for the $25 million.
But nowhere do they talk about the problems with the platform. And as long as they allow that to continue, we're just going to continue having these issues.
So will it be that halfway through, you know, one of those videos from who's that terrible man, Alex, whatever his name is, Alex Jones, halfway through one of his videos up will pop PewDiePie or whatever his name is saying, oh, now just, just don't be so certain about this.
Don't believe everything he says.
Don't believe everything that you've just been watching. Because I'm a YouTube-endorsed critical thinking ad.
Yeah, I mean, that's exactly that, right?
That's what it says, that they will be creating videos to raise awareness about digital literacy and help educate teens about— because that's the problem, right?
Teens and not your 65-year-old father who watches right-wing propaganda. Yeah. Educate teens about identifying legit sources of news information.
So that's the crazy thing to me is that, you know, we talked about the grossness of the crypto world, but when it comes to tech, they don't want to take responsibility.
They'd just rather pass the buck. And so that's sort of how they're going to do it.
That's what it says, that they will be creating videos to raise awareness about digital literacy and help educate teens about— because that's the problem, right?
Teens and not your 65-year-old father who watches right-wing propaganda. Yeah. Educate teens about identifying legit sources of news information.
So that's the crazy thing to me is that, you know, we talked about the grossness of the crypto world, but when it comes to tech, they don't want to take responsibility.
They'd just rather pass the buck. And so that's sort of how they're going to do it.
I think that kids and millennials would be much better at detecting fake news than the older generation.
Yeah, exactly right. I mean, I look at my parents. My dad is 70. My mom is in her late 60s. And so they're the ones that should have, hey, let's dig up Steely Dan.
You know, I don't know if any of them are still alive, but let's have the surviving members of Steely Dan come in. And say, hey, the thing you just read is probably BS.
You know, I don't know if any of them are still alive, but let's have the surviving members of Steely Dan come in. And say, hey, the thing you just read is probably BS.
But if you have a change of heart— My mom sometimes says to me, she goes, did you see that thing on the internet?
Exactly.
That's the people that we should be looking at, because in the United States, those are the people that voted for Trump, and those are probably the people that voted for Brexit.
So you're absolutely right, the teens aren't the problem. They know this stuff is BS. It's the older, the baby boomers who could really use this.
That's the people that we should be looking at, because in the United States, those are the people that voted for Trump, and those are probably the people that voted for Brexit.
So you're absolutely right, the teens aren't the problem. They know this stuff is BS. It's the older, the baby boomers who could really use this.
Yeah, he's just got a bit political.
I know.
I mean, we have to earn that explicit warning, don't we?
That's right. We've got to earn it. Good job. Good show, Graham.
So your advice for YouTube is don't spend the money on these daft adverts.
Instead, hire the surviving members of Steely Dan to come out of retirement to advise the silver generation about fake news. That's basically your advice.
Basically, get humans to do this.
Instead, hire the surviving members of Steely Dan to come out of retirement to advise the silver generation about fake news. That's basically your advice.
Basically, get humans to do this.
Yes.
Proper humans to verify these things. Spend the $25 million that way.
Just hire people. Each time you read about this, the platforms always say, oh, you know, our algorithms are getting better every day and we'll be able to fix this.
And I just sit there going, just hire people, you know, as many as you can to help police this and train your algorithms so that this stuff doesn't happen.
But if you're not gonna do that, then yes, absolutely. I think the surviving members of Lynyrd Skynyrd would be perfect.
If we could find them, let's find the corpse of Richard Nixon and maybe try him out for a couple of videos because if that's what they're going to do to solve it.
And I just sit there going, just hire people, you know, as many as you can to help police this and train your algorithms so that this stuff doesn't happen.
But if you're not gonna do that, then yes, absolutely. I think the surviving members of Lynyrd Skynyrd would be perfect.
If we could find them, let's find the corpse of Richard Nixon and maybe try him out for a couple of videos because if that's what they're going to do to solve it.
Carole, what's your topic for us this week?
Well, I'm going to talk about social media. So you guys are, well, I won't say old. You've been around on social media for more than a decade.
Yeah.
Oh yeah. I bet that occasionally you might want to have a snapshot of activity at a certain time.
Maybe BJ, when your book was published, you went around on all your social channels going, "Woohoo!" Or when we won the award, Graham, right?
Maybe BJ, when your book was published, you went around on all your social channels going, "Woohoo!" Or when we won the award, Graham, right?
Oh, best security podcast. Yes, I remember that one. Yes.
Right. So you may want to have an app that helped you pull all those together and aggregate all those messages that happened during a timeframe.
And this is exactly what this app TimeHop does in a nutshell. Its raison d'être is to rekindle fond memories of your past social media posts.
Now, don't go and install this app just yet because TimeHop disclosed this week that it has just been hacked. The hack took place on Independence Day.
And despite wild efforts to stop the breach in action, they did it for 2 hours, the baddies did get away with some of the spoils.
21 million people had their email addresses stolen and usernames, and 5 million lost their phone numbers. They use their mobile phone numbers to log in.
And this is exactly what this app TimeHop does in a nutshell. Its raison d'être is to rekindle fond memories of your past social media posts.
Now, don't go and install this app just yet because TimeHop disclosed this week that it has just been hacked. The hack took place on Independence Day.
And despite wild efforts to stop the breach in action, they did it for 2 hours, the baddies did get away with some of the spoils.
21 million people had their email addresses stolen and usernames, and 5 million lost their phone numbers. They use their mobile phone numbers to log in.
As their login. Yeah. I think this is an app which is very popular on Facebook. I think my wife has this app on Facebook.
And so what it does, it pops up after maybe a year or something saying, oh, do you remember this from 5 years ago?
You know, happy memories of the time Graham quit Facebook, you know, and let you do what you wanted.
And so what it does, it pops up after maybe a year or something saying, oh, do you remember this from 5 years ago?
You know, happy memories of the time Graham quit Facebook, you know, and let you do what you wanted.
Exactly.
I think Facebook actually has its own version of it now called Memories.
Oh, okay.
I think what's cool about this one is that you can aggregate across Twitter and different other apps.
Now, way back in December, an unauthorized person used an admin's credential to log into TimeHop's cloud computing service where all the information is stored.
Question is, how were they able to actually achieve this feat? It turns out they didn't have two-factor authentication turned on.
Now, way back in December, an unauthorized person used an admin's credential to log into TimeHop's cloud computing service where all the information is stored.
Question is, how were they able to actually achieve this feat? It turns out they didn't have two-factor authentication turned on.
Oh, the existing proper admin of TimeHop didn't have two-factor authentication, so they were able to phish his credentials or something.
But to make sure that they continued to have access, they created a new secret admin account.
But to make sure that they continued to have access, they created a new secret admin account.
Yes.
Oh, that's sneaky, isn't it?
And since December, they kept coming in just occasionally in May and in June, just to have a little poke around. And then on Independence Day, boom, they swooped in, right?
Enter TimeHop's cloud computing account, which wasn't protected, transferred data and attacked the production databases.
Enter TimeHop's cloud computing account, which wasn't protected, transferred data and attacked the production databases.
And presumably they chose Independence Day because they thought, well, there won't be many people around to notice or respond, do you think?
Yeah, that's exactly what I think. So you're out there, you know, either at a barbecue or dealing with family or you know, on a march somewhere, you're not thinking about your IT.
Or blowing your fingers off, which is the American pastime.
Fireworks. Not actually, they don't actually go out with the intention of blowing their fingers off.
I was just thinking in my head going, I don't know what he's talking about.
It's not a euphemism. With guns?
Is it?
I'm a bit bored. Let me go another few.
I don't have to go to work today. What can I do for fun? Now on their— TimeHop's very detailed security incident page, which I'd recommend you guys go take a look.
It's timehop.com/security. I think they've done quite a good job because of course, under new GDPR rules, you need to get all your information out pretty darn quick to users.
It's timehop.com/security. I think they've done quite a good job because of course, under new GDPR rules, you need to get all your information out pretty darn quick to users.
Yes.
In this incident page, they are warning users who have used their mobile number to log in and take some additional security steps.
And I want to explain why they're focusing on the mobile number users. This is basically a warning against things called port scams.
This is where a fraudster who may have collated enough information about you, maybe your date of birth or social security or last digits of your social security number, your postal address, and they might have gotten these from different breaches.
And what the whole point is to pull all this together and try and dupe your telephone carrier into thinking they are you.
And if they're successful, they will try and authorize on your behalf the number porting over to an account or device in the fraudster's control.
Ironically, this is all about two-factor authentication. That's what they're looking for.
They're looking to have your number so that if you access your bank, right, the two-factor authentication code gets sent to your phone, they get the message and they can log in on your behalf.
And I want to explain why they're focusing on the mobile number users. This is basically a warning against things called port scams.
This is where a fraudster who may have collated enough information about you, maybe your date of birth or social security or last digits of your social security number, your postal address, and they might have gotten these from different breaches.
And what the whole point is to pull all this together and try and dupe your telephone carrier into thinking they are you.
And if they're successful, they will try and authorize on your behalf the number porting over to an account or device in the fraudster's control.
Ironically, this is all about two-factor authentication. That's what they're looking for.
They're looking to have your number so that if you access your bank, right, the two-factor authentication code gets sent to your phone, they get the message and they can log in on your behalf.
Now, so they've hijacked your phone number, effectively your mobile phone number. So any two-factor authentication code is sent to that instead. Yeah, that's very sneaky.
They're not going to do this unless they have information about you already. Right. You'd be surprised.
I think a lot of people think that they're safe when actually their information is lurking somewhere in some old paste bin.
I think a lot of people think that they're safe when actually their information is lurking somewhere in some old paste bin.
And as well as your phone number, they've got your email address from Timehop.
So yes, I mean, correlating that with other data breaches, they may well be able to find out all sorts of information about you.
So yes, I mean, correlating that with other data breaches, they may well be able to find out all sorts of information about you.
Exactly. So there's a few things you can do, and this is a good reminder for everybody. Find out if your carrier offers port validation protection.
This is a fancy way to say they have a passcode or PIN number that has to be used. The fraudster won't know that PIN and therefore will not be able to get the port changed.
You may also, if you're changing or if you're getting a new mobile phone, profile phone or changing carriers, ask them what information they would require in order to authenticate your identity.
If it's just publicly available info, maybe go find someone else. And lastly, don't assume you've never been breached.
You can go to sites like haveibeenpwned.com, which is run by a friend of the show, Troy Hunt, and put your email addresses in and see if you come up on any lists that have been potentially scooped up by baddies.
And in those cases, make darn sure you change those passwords to unique, long, great ones.
This is a fancy way to say they have a passcode or PIN number that has to be used. The fraudster won't know that PIN and therefore will not be able to get the port changed.
You may also, if you're changing or if you're getting a new mobile phone, profile phone or changing carriers, ask them what information they would require in order to authenticate your identity.
If it's just publicly available info, maybe go find someone else. And lastly, don't assume you've never been breached.
You can go to sites like haveibeenpwned.com, which is run by a friend of the show, Troy Hunt, and put your email addresses in and see if you come up on any lists that have been potentially scooped up by baddies.
And in those cases, make darn sure you change those passwords to unique, long, great ones.
Good advice. Yeah, very nice. Very nice. And you know what else is nice, Carole?
Tell me, Graham.
It's almost time for Pick of the Week. Boom.
Hey, Graham.
Hey, Carole.
LastPass has this automated password generator, so no more do you have to sit there and dream up silly long passwords that mean nothing to you.
You can just press a button and presto, you've got a 25-character, 50-character password that's impossible to guess.
You can just press a button and presto, you've got a 25-character, 50-character password that's impossible to guess.
Will it put all kinds of crazy characters in?
You can choose to put them in or not, depending on the website, because some websites don't let you do the crazy characters, do they?
Linking websites which don't relate to decent passwords.
Ah, grumble grumble. Check out lastpass.com/smashing.
I'm glad you said slash that time. You're welcome. And welcome back. And you join us at our favorite time of the show, part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily.
Shouldn't be.
And my Pick of the Week is not security related.
Ooh.
Yeah, exciting, eh? As you know, Carole, and BJ, you may not be aware of this, I'm a big lover of the great outdoors.
I love nothing more than hiking in the mountains, going down the valleys, you know, going to festivals, camping, the great— oh, wonderful.
I love nothing more than hiking in the mountains, going down the valleys, you know, going to festivals, camping, the great— oh, wonderful.
Every single time, and probably I've been outside with Graham probably 5 times in my whole entire life, and every single time he has basically almost died, and I've had to—
Yes.
Really?
He's been swimming and sliced his foot open where I had to swim him back to shore.
We did nearly die that time. We did nearly die. Yeah. What I'm going to recommend to you today is a terrific little service called what3words.com. 3 is the number 3.
They've divided the whole world into a grid of 3-meter by 3-meter squares. And you may be asking yourself, why have they bothered to do that?
Well, they've done that because they have given a name to every 3-meter-by-3-meter square, they've given it 3 words, a unique address made up of 3 words.
Rather than giving someone your latitude and longitude, which is going to be impossible— who on earth would do that? You just give them 3 little words.
And if you give them those 3 little words, they can find out your precise location, which could be handy if you're trying to tell the pizza delivery guy to deliver to a particular place, or if you're trying to give the location of your picnic spot, or where you want the drone to land.
Or if you're at a festival and there's thousands and thousands of horrible tattooed people there.
They've divided the whole world into a grid of 3-meter by 3-meter squares. And you may be asking yourself, why have they bothered to do that?
Well, they've done that because they have given a name to every 3-meter-by-3-meter square, they've given it 3 words, a unique address made up of 3 words.
Rather than giving someone your latitude and longitude, which is going to be impossible— who on earth would do that? You just give them 3 little words.
And if you give them those 3 little words, they can find out your precise location, which could be handy if you're trying to tell the pizza delivery guy to deliver to a particular place, or if you're trying to give the location of your picnic spot, or where you want the drone to land.
Or if you're at a festival and there's thousands and thousands of horrible tattooed people there.
Let me just see how this works with the pizza delivery guy, right?
Okay.
So let's say you are— they're asking for your address, right?
I knew you were going to do this.
And you're going to say what? You're going to say— go ahead.
No, no, look, listen, right? Stop that nonsense right now.
Because you're going to have to tell them to go to the website first, aren't you?
No, not sorry.
You say first go to what3words.com.
Maybe you've listened to the Smashing Security podcast and you've installed the app. Right? Or maybe this is a website which has already heard about What3Words.
Maybe it's built up enough momentum that loads of people are now using What3Words. Come on, we've got to use this thing.
Because, okay, if you're getting a pizza delivered to your home, the pizza delivery guy's not gonna have much trouble. But what if, Carole, what if you are on a campus?
What if you're at your place of work and it isn't obvious which building?
The other day I was out on a gig, I was doing some speaking, and I was in one building and I wasn't in the other one and my taxi driver went to the wrong building.
There was all this hoo-ha and hassle. Well, which building you're at? I'm at this building. No, you're not at this building. Blah, blah, blah, blah.
If I had been able to give him my What3Words, then maybe he'd be able to find me. Or what if you are at a concert or a festival or something that and you're trying to find your—
Maybe it's built up enough momentum that loads of people are now using What3Words. Come on, we've got to use this thing.
Because, okay, if you're getting a pizza delivered to your home, the pizza delivery guy's not gonna have much trouble. But what if, Carole, what if you are on a campus?
What if you're at your place of work and it isn't obvious which building?
The other day I was out on a gig, I was doing some speaking, and I was in one building and I wasn't in the other one and my taxi driver went to the wrong building.
There was all this hoo-ha and hassle. Well, which building you're at? I'm at this building. No, you're not at this building. Blah, blah, blah, blah.
If I had been able to give him my What3Words, then maybe he'd be able to find me. Or what if you are at a concert or a festival or something that and you're trying to find your—
Are you a shareholder?
You're trying to— No.
I feel there's a pitch for a timeshare coming.
No. You're trying to find your tent or where the loos are. You've lost someone who's got the ice cream.
I know, totally.
Well, I think it's quite a clever little idea. I'll give you some examples, right? So there's, here's one: Price's Slippery Traps.
How do you spell that?
Well, as you would expect, Price's Slippery Traps.
Traps?
What is it? Yes, traps.
That's the conversation you all have with your pizza guy. That's what I'm saying.
Well, I will do if it's better than giving him the latitude and longitude, and that would take him to the Eiffel Tower.
I don't know. In England, you can kind of give your house number and your postcode, and that normally works.
Yes, that would work. But do I have to give you my scenarios once again? You're at a concert, you're at a festival, you're hiking, whatever it is, for goodness' sake.
And by the way, this works without a data connection, which is handy. Oh, now you're impressed. How about this one? With harp person will take you to the Oval Office.
And by the way, this works without a data connection, which is handy. Oh, now you're impressed. How about this one? With harp person will take you to the Oval Office.
Sorry, what was that?
Don't even start. It'll take you to the West Wing, the White House. With harp person. I doubt he is with a—
Are you sure it's with harp person, not bed head hairpiece.
Well, you know what? You could enter that.
I wonder if there's embarrassing ones. See, we need an app now to find all the embarrassing ones.
I think they've been careful not to allow rude words and sound-alike words to avoid confusion.
Okay. Canadian High Commission in London.
Yes.
Okay. Engage gossip face.
Now you're liking it, aren't you?
No, I think it's a bit— I'm surprised they want that. They're probably—
They don't choose them. Oh, for goodness sake. There's an album.
I mean, the Canadian High Commission's not gonna go out and you can find us at Engage Gossip Face.
Sounds like a safe word. Right.
Okay. Enough of this. What3words is my pick of the week, and I hope some listeners like it, even though you two don't. Thank you very much. Pick of the week.
Although I have to say, so when I was in a past life, when I was married, we lived up in the Adirondacks, and so my ex-wife and her mom would always go hiking.
And one time they got lost in the woods for over 3 hours and found themselves in front of a state penitentiary.
And had they not found that prison, they probably would've died out there.
So, you know, I can't, I'm joking about it, but I can absolutely see instances of, all right, this could be good because you could get really lost up there and not have any other way to be found unless you have with harp person to enter into an app.
And one time they got lost in the woods for over 3 hours and found themselves in front of a state penitentiary.
And had they not found that prison, they probably would've died out there.
So, you know, I can't, I'm joking about it, but I can absolutely see instances of, all right, this could be good because you could get really lost up there and not have any other way to be found unless you have with harp person to enter into an app.
That's, that's, see, I appreciate that reason more. That makes more sense.
Glad we got BJ on the show then.
It does.
BJ, let's hear your pick of the week.
My pick of the week is a show called Justified, which people can watch on Amazon Prime.
I've seen a few seasons of that, I think a long time ago. It must have started a while ago.
Yeah.
So it's about a decade old at this point. It's one of those shows where people know that—
Cowboys. Ways.
Yes. So he thinks that he's Wyatt Earp, essentially, and he works in the Marshal Service. And so just imagine Wyatt Earp running loose in today's American South. And that's the show.
It really does a great job of portraying the American South in a way that you don't often see.
We kind of have all the stereotypes, but when you watch the show, you kind of understand, oh, this is how bad hairpiece got elected. These people still think it's the 1870s.
And so I think that the show, they should totally bring it back and rebrand it as Trump Country.
It really does a great job of portraying the American South in a way that you don't often see.
We kind of have all the stereotypes, but when you watch the show, you kind of understand, oh, this is how bad hairpiece got elected. These people still think it's the 1870s.
And so I think that the show, they should totally bring it back and rebrand it as Trump Country.
Oh no.
Because I think that it would do really well these days because you would just be, oh, this is why this is happening. But that aside, the show is great.
I really recommend people watch it.
I really recommend people watch it.
I just remember the script was quite fun. There was something quite in the writing that I really liked, I think. It's beautifully written.
There's some wonderful lines from Walton Goggins, who plays the antagonist, Boyd Crowder. And he has some brilliant lines that I think are very memorable and very quotable.
Give us a quote.
And this is from the episode I saw yesterday, so it works out beautifully. This is a bad Southern accent. I've been accused of being a lot of things. Inarticulate ain't one of them.
That's funny. Okay, so that's Justified, and that's on Amazon Prime.
Yes.
Oh, cool. Brilliant.
Okay.
Yes. And Carole, what's your pick of the week?
So a few weeks ago, my lovely buddy Anna started nagging me to check out this new podcast called Dear Joan and Jericha.
And I kept getting these texts from her, have you listened yet? Have you listened yet? And finally I listened and then I immediately saw why she was recommending it.
Dear Joan and Jericha is played by two UK comedy stars. And it's basically agony aunts, which is my dream job, as you both know.
So the comedy stars are Julia Davis and Vicki Pepperdine.
They're kind of radio, kind of local radio agony aunts, but with this wacky, cringy twist, because no matter what problem they're discussing, it's always the woman's fault.
And to an absolute extreme, it's a little bit edgy. This is not for children. It's very adult.
I think the whole concept is they're trying to crack each other up by being more and more edgy, and it's blush-worthy, a bit like The Office. Okay, here, I'll play a bit for you.
Dear Joan and Jericha, my baby's been born with white hair and a full set of teeth.
And I kept getting these texts from her, have you listened yet? Have you listened yet? And finally I listened and then I immediately saw why she was recommending it.
Dear Joan and Jericha is played by two UK comedy stars. And it's basically agony aunts, which is my dream job, as you both know.
So the comedy stars are Julia Davis and Vicki Pepperdine.
They're kind of radio, kind of local radio agony aunts, but with this wacky, cringy twist, because no matter what problem they're discussing, it's always the woman's fault.
And to an absolute extreme, it's a little bit edgy. This is not for children. It's very adult.
I think the whole concept is they're trying to crack each other up by being more and more edgy, and it's blush-worthy, a bit like The Office. Okay, here, I'll play a bit for you.
Dear Joan and Jericha, my baby's been born with white hair and a full set of teeth.
Should I be worried?
Margaret Doreen from Bolton. Well, yes, it— that's white hair, that's not blonde hair, is it?
That's white.
White hair. Yes, yes.
So it sounds to me like she's had a baby that's been born, and that's been in the womb too long.
Sounds to me like an old baby, really.
It's a very old baby. This is uncommon, but sadly and tragically, does happen increasingly nowadays with people's poor diets and lack of vitamins.
Well, it's a weird thing, isn't it, that you could— it's, as you say, it's happening more but it's still rare, it's on the up, and that is where the gestation period goes into 10 months and that's what's happened here, whereby it's aging, it's aged the baby very badly.
So this is particularly with older mums, geriatric mums, anybody over 35 who's having a baby.
If you're going to get pregnant at this very late age, you're going to expect some anomaly. I mean, she was, she's 36. Yes, she's 36.
You know, this may be incidentally a pregnancy from when she was first having periods.
You know, this may be incidentally a pregnancy from when she was first having periods.
It's pure unadulterated filth really, isn't it, Craig?
It kind of is, but they just have this way of going, "Yeah, yeah," supporting each other as though they're saying something quite deep and wise.
So as The Guardian say, this is not for the faint-hearted, but if you're into absurd toxic relationship advice, serve the slice, you know, faux sincerity, this is the one to check out.
So thank you, Anna, for Dear Joan and Jericho.
So as The Guardian say, this is not for the faint-hearted, but if you're into absurd toxic relationship advice, serve the slice, you know, faux sincerity, this is the one to check out.
So thank you, Anna, for Dear Joan and Jericho.
I love it.
Okay. Well, I have heard a little bit of this and it is quite fruity.
I know I did choose a rather tame example.
Fantastic. Well, on that bombshell, we've just about wrapped up this show for this week.
BJ, if people want to follow you online or find out more about you, what's the best way that they can do that?
BJ, if people want to follow you online or find out more about you, what's the best way that they can do that?
So, BJMendelson.com, @BJMendelson on Twitter. And I think I gave this out last time, but my phone number is 646.
So I've been doing a ton of podcasts, and people ask me, "Do you have any trouble giving out your phone number?
Do people send you dick pics?" And so I'm pleased to say that most people are very well behaved. What I get instead, if someone wants to be cheeky, is a picture of Richard Nixon.
Yes, so my actual cell phone number is 646-331-8341. If you text me the word sheetrock, I will send you a free copy of—
So I've been doing a ton of podcasts, and people ask me, "Do you have any trouble giving out your phone number?
Do people send you dick pics?" And so I'm pleased to say that most people are very well behaved. What I get instead, if someone wants to be cheeky, is a picture of Richard Nixon.
Yes, so my actual cell phone number is 646-331-8341. If you text me the word sheetrock, I will send you a free copy of—
I'm just taking a photograph. Hang on.
Yes.
There we go.
It's on its way. It's on its way, BJ. Enjoy that one. Yes, please don't.
But yeah, 646-331-8341 is the phone number if people want to reach me. I got a lot of great responses from listeners of this show, so that was very cool.
Yay.
Fantastic. Well, we're not going to hand out our phone number, but we will give you our Twitter address, which is @smashinsecurity, no G, Twitter wouldn't allow us to have a G.
If you want to grab some stickers or t-shirts or mugs and things like that, you can go to smashingsecurity.com/store. And thanks for tuning in.
If you like the show, please rate us on Apple Podcasts. It helps new listeners discover the show, and you can find new episodes as well at smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye-bye.
If you want to grab some stickers or t-shirts or mugs and things like that, you can go to smashingsecurity.com/store. And thanks for tuning in.
If you like the show, please rate us on Apple Podcasts. It helps new listeners discover the show, and you can find new episodes as well at smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye-bye.
Bye. Now, BJ, are you still single? Because last time you were on the show, I think you were single. Did you get any ladies?
I've just sent him a dick pic. That helps.
Well, if he owns a microscope.
Psst, if you're still listening, remember, please visit smashingsecurity.com/vote so that you can register your vote for Smashing Security in the upcoming Podcast Awards.
We need your help, guys. Thanks.
Psst, if you're still listening, remember, please visit smashingsecurity.com/vote so that you can register your vote for Smashing Security in the upcoming Podcast Awards.
We need your help, guys. Thanks.
