Breakthrough of the Timehop ​​application database and data leak to 21 million users

The owner of Timehop ​​Timehop ​​application revealed a breakthrough in the user database of the application led to the leakage of personal data of 21 million user, This data include user names and e-mail addresses, About five users affected by this penetration – ie the equivalent of 4.7 million. users – had their accounts containing their own phone numbers.

The Timehop ​​app again displays your old photos and dating posts from years on social networking sites like Twitter, Facebook and Instagram by calling their profile. The company, which merged its services into social networking accounts to publish old messages and photos, said, "She discovered the attack while it was working on April 4th. Engineers were able to put security measures in place to secure services.

According to the preliminary investigation of the incident announced by the company, the attacker first accessed the cloud computing provider for the Timehop ​​application on the 19th December 2017 using the credentials of a pirated administrative administrator, and created a new administrative user account. The investigation activities in the cloud computing environment, repeated twice the first two days in March 2018, the second day in June 2018, and then on July 4, 2018, he carried out offensive activities on the basis storage and transfer of user data. The company disclosed the details of the hacking in a post on its blog last Saturday, several days after the discovery of the attack.

The company announced in its publication that it committed to transparency and to providing all its users and partners with the information they need to understand what has happened. »Some data, including names, e-mail addresses and certain phone numbers. No other data, such as private messages, financial statements, social media content or Timehop ​​data, has been allocated and none of your digital memories – social media posts and photos – stored on the site. Timehop ​​application has been affected.

But the keys allowing users to read and view the content of their social network accounts have been compromised, so all keys have been disabled, which means that Timehop ​​users will have to re-key. authenticate the application to continue using the service.

"If you notice any content that is not downloaded, it's because Timehop ​​has canceled it proactively, you may have noticed that your application account is offline, we have done so very carefully to reset all keys, we have no directory However, no account has been accessed without permission. "

The company also admitted that & # 039; It was theoretically possible for unauthorized users to access the site to use the security codes to access social network accounts of Timehop ​​users over a short period, but that these codes would not allowed anyone to access Facebook. Messenger, Twitter, Instagram, or things that your friends post on your Facebook news feed. Timehop ​​only has access to social media posts that you publish on your own profile.

The damage caused by this penetration was limited by the long-term commitment of the company to use only the data it needed to provide its services. Timehop ​​did not store credit cards, financial data, IP site data or users' IP addresses, or copies of their social media profiles, but the company separated information about social media content, deleted copies After seeing you. "

To gain access to its network, the attacker seems to be able to penetrate the cloud computing environment in Timehop ​​by targeting an unregistered account. protected by multifactor authentication.

This is clearly a major security failure, but the company has not explained exactly how this happened: " We have now taken steps involving multifactor authentication to secure our authorization and control access to all accounts.

Part of the official response to incidents that the company says it started on July 5 was to add multifactor authentication to all accounts that did not already exist with all cloud services (not just the cloud service provider.) So it's clear that there was more Meme it from a non-believing account targeted by the at therefore, its management team should explain why multi-factor authentication does not apply to all its cloud calculations.

At the same time we were working to stop the attack and strengthen security, we were communicating with security experts, intervention specialists, local and federal officials of the application of the law, and we were working with our social media providers. It is not yet clear whether users have been hacked or not?

The company posted a blog post that revealed the security breach on its Twitter account on July 8th. But before that, his Twitter account only confirmed that an unplanned maintenance had caused problems to users who were logging into the application.

of the recently introduced Data Protection Regulations (GDPR) systematically gave data controllers the responsibility to detect violations and to do so promptly, setting a global standard for the reporting period in all 72 hours.

Timehop ​​refers to the Data Protection List in its publication: "Although the Data Protection Regulation is vague in relation to this type of penetration – where the defect should threaten the rights and freedoms of individuals – We did this as quickly as possible, and we have maintained our work with our GDPR data protection specialists to help us do that. "

The company also stated that it s was engaged in an intelligence service on electronic threats to search for evidence of use of e-mail addresses, phone numbers and names of users hacked or used on the Internet and on the Dark Web.