Timehop deactivates 21 million user accounts after hackers steal access keys, other data
Timehop deactivates 21 million user accounts after hackers steal access keys, other data

Timehop has deauthorized all 21 million of its user accounts after hackers intruders infiltrated its cloud infrastructure on December 19, 2017, through a poorly protected admin account pilfered information, including access keys that could be used to gain entry to the victims' social media accounts where the app is used to recall posts from the same date in previous years. 

"To reiterate: none of your 'memories' - the social media posts & photos that Timehop stores - were accessed," Timehop said in a statement about the hack, which went detected until July 4 when the hackers began to extract information. “If you have noticed any content not loading, it is because Timehop deactivated these proactively,” the company said, noting there was “no evidence that any accounts were accessed without authorization."

Users were logged out of their accounts until the company could reset all keys, Timehop said.

The company had widely deployed two-factor authentication as part of its normal security practices but the exploited admin account was inadvertently overlooked.The hackers activities in the Timehop system went undetected because the activity from that account didn't read as suspicious. During initial incursions, the intruders “didn't do anything abnormal,” said Timehop COO Rick Webb. “They checked database schema.” The behavior, he said, was in accordance with the permissions given to the admin account. But on July 4 that changed when the hackers exfiltrated data and left Timehop in the unenviable position of having to mitigate the incident over a holiday.

In addition to access keys, the hackers nicked email addresses, usernames (many of them are not real names) and telephone numbers, although only about 4.7 million users had phone numbers attached to their Timehop accounts. 

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service,” the company said, stressing that it didn't store credit card, financial data and location data, or IP addresses. Nor does it store copies of social media profiles and user information is separated from social media content. The company explained that it deletes its copies of users' “Memories” after users have seen them.

Timehop's response reflects a growing trend by organizations to promptly notify customers. "We're seeing an increase in breach notification, as organizations do their utmost to adhere to the 72-hour imposed timescales,” said Dan Pitman, senior solutions architect at Alert Logic. “Although Timehop was guilty of a ‘schoolboy' error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly."

Webb said transparency and prompt notification were no-brainers for the company, which also took steps to ensure that it met potential GDPR obligations, including contacting a law firm right away that dispatched an attorney in Europe to work with regulatory authorities.

Timehop is a smartphone app that collects old photos and posts from Facebook, Instagram, Twitter, and Dropbox photos for distribution among friends.