Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.
The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.
Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.
“Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.
|Type of Personal Data Combination||# of Breached Records||# of Breached GDPR Records|
|Name, email, phone, DOB||3.3 million||174,000|
|Name, email address, phone||3.4 million||181,000|
|Name, email address, DOB||13.6 million||2.2 million|
|Name, phone number, DOB||3.6 million||189,000|
|Name and email address||18.6 million||2.9 million|
|Name and phone number||3.7 million||198,000|
|Name and DOB||14.8 million||2.5 million|
|Name total||20.4 million||3.8 million|
|DOB total||15.5 million||2.6 million|
|Email addresses total||18.6 million||2.9 million|
|Gender designation total||9.2 million||2.6 million|
|Phone numbers total||4.9 million||243,000|
The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.
According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.
The attackers accessed the systems through an IP address in the Netherlands.
In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.
On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.
“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”
(Security Affairs – Timehop, hacking)