Published: Mon, July 09, 2018
Business | By Kate Woods

Timehop breached due to lack of 2FA, 21 million users hit

Timehop breached due to lack of 2FA, 21 million users hit

They did not carry out the attack until July 4, when the attacker transferred the compromised data and attacked Timehop's production database. The knock-on effect being you'll have to re-authenticate the Timehop app with your social media accounts if you want to keep using it. Users have also been logged out of their Timehop accounts as a security precaution.

A massive data breach on Timehop has exposed the private details of more than 21 million users.

Timehop stressed that private messages, financial data, social media content, and Timehop data were compromised.

"If you have noticed any content not loading, it is because Timehop deactivated these proactively", it writes, adding: "We have no evidence that any accounts were accessed without authorization".

Astonishingly, the attack was possible because Timehop didn't itself use 2FA for its cloud computing login! Timehop system administrators have added the necessary protections for the accounts that didn't have them and are confident such an attack can't be repeated.

More news: Travis Pastrana beats Evel Knievel records with death-defying jumps

Timehop connects to users' social media accounts and shows what people posted that day throughout the years.

However, Timehop claims that the tokens were deauthorized and made invalid within a "short time window" and can not be used to gain access to users' social media profiles.

Neither Timehop nor Facebook immediately responded to requests for comment.

Access tokens to your social media and online photo services.

The company said names, email address and some phone numbers were breached as well as encryption keys.

More news: Egypt jails tourist for Facebook post

"The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service". "We have no evidence that any accounts were accessed without authorization". But prior to that its Twitter account was only noting that some "unscheduled maintenance" might be causing problems for users accessing the app...

We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.

Referencing GDPR, Timehop writes: "Although the GDPR regulations are vague on a breach of this type (a breach must be "likely to result in a risk to the rights and freedoms of the individuals"), we are being pro-active and notifying all European Union users and have done so as quickly as possible".

Compromised data includes names, email addresses, and phone numbers.

Timehop noted that the compromised cloud computing account did not have multi-step verification before the incident - a gross oversight on the company's part, given that it's now common practice among firms handling large volumes of user data.

More news: Trump lawyer blasts Russian Federation probe as 'most corrupt' ever

Like this: