Social media aggregation app Timehop has admitted it is at the centre of a large data breach after it reported that the data from 21 million users had been stolen on 4 July.
Timehop is a smartphone application that collects old photos and posts from social networking platforms such as Facebook, Instagram, Twitter, and Dropbox photos.
But it seems Timehop’s cloud environment was not total secure after it was compromised by an ‘unauthorised attacker’ who conducted both reconnaissance and then data theft.Independence day
The ‘security incident’ began in December last year when an ‘unauthorised attacker’ utilised ‘authorised administrative user’s credentials’ to log into Timehop’s cloud computing provider.
This attacker then “created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment,” blogged Timehop. “For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorised user logged in again and continued to conduct reconnaissance.”
Timehop has confirmed that the cloud service data was not protected by two-factor authentication, and matters do a more sinister turn in early July, on US Independence Day.
“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data,” said Timehop. “At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 PM, Timehop engineers had begun to implement security measures to restore services and lock down the environment.”
The firm immediately contacted law enforcement and “retained services of a cyber security incident response company, a cyber security threat intelligence company; and a crisis communications company.”
It seems that the bulk of the data stolen consisted of usernames and email addresses, but 4.7m phone numbers were also nicked in the process. And it seems that tokens provided by social media platforms to Timehop that allowed the app to access images and posts were also stolen.Expert reaction
Experts pointed to Timehop’s failure to properly secure their cloud platform.
“The rapid adoption of cloud and SaaS services has altered the security paradigm,” said Max Heinemeyer, director of threat hunting at Darktrace. “Cloud-only and hybrid infrastructures bring organisations many undeniable benefits, such as increased agility and scalability on demand. But while organisations can outsource their IT processes, they cannot outsource their security function altogether.”
“The reality is that the cloud can be a security blind spot for organisations and the compromise of credentials, such as we have seen in this Timehop breach, are an increasingly common threat scenario,” said Heinemeyer. Cloud providers struggle to design their platforms with this risk in mind, leaving a gaping security hole for cloud customers.
Another expert pointed to Timehop’s lack of two-factor authentication to protect customer data.