Timehop reveals July 4 breach included gender, country, and DOB info

The company says it is working out how to deal with its GDPR obligations.
Written by Chris Duckett, Contributor

Timehop has updated its pair of blog posts concerning its July 4 breach, revealing that gender, country, language, and date of birth information was contained in the exfiltrated database.

Over 15 million records contained a date of birth, and more than 9 million had gender information in the breach, which saw nearly 21 million records breached from the service that surfaces a user's past social media content.

The company said it had "messed up" in not including the new data in its original breach notice.

"As we examined the more comprehensive audit on Monday of the actual database tables that were stolen, it became clear that there was more information in the tables than we had originally disclosed," Timehop said.

"We are deeply sorry for this secondary disclosure."

Timehop also said the attacker was able to gain access to the personal user information once the compromised employee legitimately migrated a user table into the database under surveillance. Three months later, the attacker returned and restored a snapshot containing the new user data into a new cluster, as well as resetting the passwords on the existing user database.

The company also provided a list of columns from the breached database to show what information was contained, as well as an updated timeline that showed the incident was treated as maintenance until July 5.

"[Engineers] did not immediately suspect a security incident for two reasons that in retrospect are learning moments," the company said.

"First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password.

"Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office."

Timehop added that with GDPR recently coming into force, the company took some time to come to grips with its obligations.

"The GDPR became effective very recently, and there are not many guidelines on how key concepts such as 'risks to the rights and freedoms of the individuals' should be interpreted, but we are being transparent and proactive and notifying all EU users on a voluntary basis and have done so as quickly as possible," it said.

"We are also in contact with EU authorities."

In its initial notice, Timehop said the breach was due to a lack of two-factor authentication on its cloud environment, which has now been rectified.

As a result of the breach, Timehop voided all social media authorisation tokens it held, with users needing to reauthenticate to continue using the service.

Related Coverage

Timehop breach hits 21 million users due to a lack of 2FA on cloud services

Usernames, email addresses, and social media tokens for 21 million users breached, with 4.7 million phone numbers scooped up in the process.

A data breach may be more expensive than you think, thanks to these hidden costs (TechRepublic)

According to an IBM report, a data breach can cost $3.86 million. Here are the main factors.

Firefox Accounts gets 2FA security: You can use Google Authenticator one-time codes

Prefer to use Google Authenticator to log in to Firefox Accounts, or get push notifications on Firefox's mobile app?

The return of Spectre

Two new ways to assault computers using Spectre-style attacks have been discovered. These can be used against any operating system running on AMD, ARM, and Intel processors.

5 data protection policies your employees must know in the post-GDPR era (TechRepublic)

Here are the policies that businesses must have in place to remain GDPR compliant, and meet best practices for data privacy.

Editorial standards