Timehop social media app has been hitting past times a major information breach on July quaternary that compromised the personal information of its to a greater extent than than 21 1000000 users.
Timehop is a uncomplicated social media app that collects your one-time photos together with posts from your iPhone, Facebook, Instagram, Twitter together with Foursquare together with acts equally a digital fourth dimension auto to aid yous find—what yous were doing on this real solar daytime just a twelvemonth ago.
The companionship revealed on Dominicus that unknown attacker(s) managed to intermission into its Cloud Computing Environment together with access the information of entire 21 1000000 users, including their names, electronic mail addresses, together with unopen to 4.7 1000000 band numbers attached to their accounts.
"We learned of the breach piece it was nevertheless inwards progress, together with were able to interrupt it, but information was taken. Some information was breached," the companionship wrote inwards a security advisory posted on its website.
Social Media OAuth2 Tokens Also Compromised
Moreover, the attackers also got their hands on say-so tokens (keys) provided past times other social networking sites to Timehop for gaining access to your social media posts together with images.
With access to these tokens, hackers could sentiment some of your posts on Facebook together with other social networks without your permission.
However, Timehop claims that all the compromised tokens were deauthorized together with made invalid inside a "short fourth dimension window" later on the companionship detected the breach on its network on July quaternary at 4:23 PM Eastern Time.
The stolen access tokens cannot hold upwards at nowadays used to gain access to whatsoever of your social media profiles, together with the companionship also claims that at that topographic point is "no testify that this genuinely happened."
"In add-on to our communications amongst local together with federal police describe enforcement, nosotros are also inwards contact amongst all our social media providers, together with volition update users equally needed, but again: at that topographic point are no credible reports, together with at that topographic point has been no testify of, whatsoever unauthorized purpose of these access tokens," the companionship said.It should also hold upwards noted that these say-so tokens practise non give anyone, including the companionship itself, access to your private messages on Facebook Messenger, Direct Messages on Twitter together with Instagram, together with things that your friends post to your Facebook wall.
Timehop is also confident that the safety breach did non deport on your private/direct messages, fiscal data, social media together with photograph content, together with other Timehop information including streaks together with memories.
Timehop also pointed out that at that topographic point was no testify that whatsoever trouble organisation human relationship was accessed without authorization.
Data Breach Aided By Lack of Two-Factor Authentication
"The breach occurred because an access credential to our cloud computing environs was compromised," Timehop said.The same solar daytime Timehop identified the breach on its network, nosotros reported virtually the Gentoo GitHub trouble organisation human relationship hack that allowed intruders to supersede the content of the project's repositories together with pages amongst the malicious one, later on guessing the trouble organisation human relationship password.
The Gentoo breach was aided past times the lack of two-factor authentication (2FA) for its Github account. The 2FA makes it mandatory for users to acquire inwards an additional passcode also the password inwards guild to gain access to the account.
The same happened amongst Timehop.
Since the companionship was non using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environs past times using compromised credential.
Timehop has at nowadays taken some novel safety measures that include system-wide multifactor authentication to secure its say-so together with access controls on all accounts.
Timehop at nowadays logged out all of its users of the app later on the companionship invalidated all API credentials, which way yous volition remove to re-authenticate each of your social media accounts to the app when yous log into your Timehop trouble organisation human relationship to generate a novel token.
The companionship is also working amongst safety experts together with incident reply professionals, local together with federal police describe enforcement officials, together with its social media providers to minimize the impact of the breach on its users.
Since the novel GDPR privacy police describe defines a breach equally "likely to lawsuit inwards a lead a opportunity to the rights together with freedoms of the individuals," Timehop claims to receive got notified all of its affected European users together with is working closely amongst GDPR experts to assist inwards the countermeasures.
To know to a greater extent than virtually the incident together with how it happened, yous tin caput on to the technical report published past times Timehop, which provides a to a greater extent than detailed breakdown of the safety incident.
