Timehop breach hits 21 million users due to a lack of 2FA on cloud services

Usernames, email addresses, and social media tokens for 21 million users breached, with 4.7 million phone numbers scooped up in the process.
Written by Chris Duckett, Contributor

Timehop, a service that surfaces a user's past social media content, has revealed a security breach that hit the company on July 4, and resulted in a database of 21 million users hit.

As a result, the company has voided all social media authorisation tokens it held, and is alerting its users.

Around 4.7 million phone numbers were breached, alongside its usernames and email addresses. Timehop said no financial data was affected, nor social media content, and there has been no evidence of any improper account access.

"A small number of records included a name, a phone number, and an email address; a somewhat larger number included a name and phone number; a larger number included a name and an email address," the company said. "No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached."

The intrusion began just after 2pm EST on July 4, and ended two hours and 19 minutes later when the attackers were locked out, Timehop said.

"The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication," it said.

In another blog post, the company said that on December 19, admin credentials were used an by unauthorised user to log in into its cloud environment, and began reconnaissance activities over the next two days, and logged in twice more leading up to July 4.

"Once we recognised that there had been a data security incident, Timehop's CEO and COO contacted the board of directors and company technical advisors; informed federal law enforcement officials; and retained the services of a cybersecurity incident response company, a cybersecurity threat intelligence company; and a crisis communications company," Timehop said.

With the company voiding its social media tokens, users will need to reauthenticate each service to continue using Timehop.

Last week, Linux distribution Gentoo detailed how an attack on its GitHub organisation was successful.

The attack took place on June 28, and saw Gentoo unable to use GitHub for approximately five days.

Due a lack of two-factor authentication, once the attacker guessed an admin's password, the organisation was in trouble.

"The attacker gained access to a password of an organisation administrator. Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated web pages," the incident report said.

Gentoo now has a requirement for two-factor authentication to join its GitHub organisation.

Related Coverage

Fitness app Polar exposed locations of spies and military personnel

Location data revealed the home addresses of intelligence officers -- even when their profiles were set to private.

Australian National University still tight-lipped on system breach

Reports have indicated the breach originated in China, with the finger pointed at the Chinese government.

GDPR security pack: Policies to protect data and achieve compliance

One of the key requirements of the newly enacted GDPR is a demonstrated effort to enforce security measures that safeguard customer data. This bundle includes six policies you can customize and implement...

This keyboard attack steals passwords by reading heat from your fingers

Thermanator harvests thermal energy to steal passwords directly from your fingertips.

Typing 'A' key 29 times lets you hack HPE iLO 4 servers (TechRepublic)

Utilizing a cURL request and the string of letters, researcher obtained a cleartext password.

The dirty secret about Bitcoin: It's amplifying ransomware, cybercrime, and more (TechRepublic)

As Bitcoin grows in popularity, potential buyers need to be aware of risks that go along with it.

Editorial standards