Saturday, 23 February 2019
Latest news
Main » Timehop breached due to lack of 2FA, 21 million users hit

Timehop breached due to lack of 2FA, 21 million users hit

09 July 2018

"No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected", the firm added.

Timehop, an app that allows you to go through a history of your past posts on various social media, was hacked on July 4th this year, says a post on the company's website.

For this reason, Timehop urges those users to take steps to ensure that their cell number can not be ported without their knowledge.

Timehop said that the details were stolen because it didn't use two factor authentication (2FA) on its cloud computing login. The attacker managed to access an internal database stole the personal data of 21 million users from Timehop's Cloud Computing Environment.

"At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion".

It was closed down just two hours and 19 minutes later.

About 4.7 million of those accounts had a phone number attached to them.

The breach also led to the loss of access tokens Timehop uses to access other social networks such as Twitter, Facebook and Instagram and the posts you've made there. These keys have been since deactivated, which makes them useless for the attackers. It has automatically logged everyone out in order to reset security keys. "In general, Timehop only has access to social media posts you post yourself to your profile", it adds.

"However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened", the company noted. Some fraudsters have begun to immediately discount secure phones altogether.

If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number. It might also be helpful to institute limits on amounts that can be spent with your card online.

TimeHop has now invalidated all API tokens and produced one of the most comprehensive security bulletins we've ever seen with a wealth of information including what the implications are under GDPR - or more specifically, that it's not entirely clear.

"To reiterate: none of your "memories" - the social media posts & photos that Timehop stores - were accessed", Timehop said in a statement.

Users who used their phone number to login are advised by the company to contact their mobile provider in order to make sure their number can not be ported.

"The breach occurred because an access credential to our cloud computing environment was compromised", the company said.

That's very clearly a major security failure - but one Timehop does not explicitly explain, writing only that: "We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts".

Timehop breached due to lack of 2FA, 21 million users hit