Pierluigi Paganini July 09, 2018

Timehop, the service that aims to help people in finding new ways to connect with each other by analyzing past activities, has been hacked.

Timehop is a service that aims to help people in finding new ways to connect with each other by analyzing past activities.

“Timehop created the digital nostalgia category and continues to be THE team reinventing reminiscing for the digital era. We have more “old” photos and content than ever before, yet most of the internet focuses on “new”.” reads its website.

The Timehop service leverages posts from many social networks to build its own memory and use it to create new connections, but something went wrong.

The company admitted that data describing 21 million members may have been exposed.

Unknown attackers breached into its systems, the company discovered the intrusion while the hackers were exfiltrating the data.

“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.” reads the data breach notification published by the company.

Stolen data includes names, email addresses, and some phone numbers, while no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were exposed.

The company pointed out that none of the users’ “memories,” – the social media posts & photos that Timehop stores, were accessed by the attackers.

The company admitted that hackers obtained access credential to its cloud computing environment, that incredibly was not protected by multifactor authentication.

The security team locked out the attackers two hours and nineteen minutes later its discovery.

The attackers also accessed the keys that let Timehop read and show you your social media posts (but not private messages), in response to the incident the IT staff at the company has deactivated them, this means that users will have to re-authenticate to their App.

The bad news is that the security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. Timehop tried to downplay the problem explaining that the tokens have been quickly revoked and currently don’t work.

“Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile.” continues the company’s notification.“However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.“

Timehop is warning its users that provided a phone number for the authentication of taking additional security precautions with their cellular provider to ensure that their number cannot be ported.

The company now has taken steps to improve the security of its architecture, including the adoption of multifactor authentication to secure our authorization and access controls on all accounts.

Technical details about the incident have been published in this post.

Pierluigi Paganini

(Security Affairs – Timehop, Data Breach)

[adrotate banner=”5″]

[adrotate banner=”13″]