Lack of multifactor connection control resulted in violation

Timehop, an application that revives old social media, indicates that 21 million users are affected by a name violations, e-mail addresses, access tokens and for some users, phone numbers.

See also: Combining application security with business needs

Of 21 million users, 22%, or 4.7 million, saw their phone number exposed , says Timehop. The violation, which occurred on July 4, was contained after about two and a half hours, says Timehop ​​in a notice.

The attacker compromised a Timehop-owned cloud services account for which multifactor authentication was not enabled.

"We have now taken steps that include multifactor authentication to secure our authorization and access checks on all accounts," he says.

Revoked Access Tokens

Once users have agreed, the Timehop ​​app can minimize social media accounts such as Facebook, Twitter, Instagram, Google and Dropbox . Timehop ​​gets an access token that allows it to maintain persistent access.

After discovering the violation, Timehop ​​invalidated these tokens. He says there was a short window of time, however, when the attacker could have used the chips, although there is no evidence that has occurred .

"We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts."
-Timehop ​​

"While we were sure that the keys to access these services had not been used, we felt that the potential exposure of this content justified emergency an interruption of service to ensure that attackers could not, for example, view personal photos, "the statement said. "Through conversations with the information security, engineering and communications staff at these vendors, we were able to disable the keys and confirm that no photos are available. had been compromised. "

The token obtained by Timehop ​​does not allow it to display private messages, such as Facebook Messenger or direct messages on Twitter or Instagram. But the token allows the postings on a person's profile, the company says.

Seeds of Attack

Although the attack took place on July 4, its roots began in December, says Timehop.

Someone obtained valid user credentials for an administrator account, and then used them to log in to the Timehop ​​cloud service provider. The unauthorized user created a new administrator account and then began to do recognition, Timehop ​​says in a technical note.

"For the next two days, and one day in March 2018 and one day in June 2018, the unauthorized user I logged in again and I continued to do recognition," says the company.

Then on July 4, Timehop ​​received an alert of an attack on a production database that involved the transfer of data.

Breach Cleanup

Once Timehop ​​understood the scope, it started a series of defensive steps.This included creating an inventory of user permissions, changing all the passwords and all the Keys and activation of multi-factor authentication for all cloud-based accounts, including on the compromised service.

Timehop ​​claims to have also revoked inappropriate permissions, increased its system of authentication. alert and monitoring and reviewed the authentication and the It also introduced "more pervasive encryption throughout our environment."

Because Timehop ​​has invalidated access tokens, users will need to log in and link social media services to Timehop ​​again.

"This will generate a new secure token," says Timehop. "Because the integrity of your data is our first priority, we have disabled tokens as quickly as possible. As we have mentioned, if you have noticed content that does not load, that's the only way you can. is because we have disabled these tokens proactively. "

The company says it has informed the federal security forces and l & # 39; intervention agency in case of incident and threat intelligence and a crisis communication company.

He also notified European regulators. The EU's most comprehensive data protection regulation, one of the strictest in the world, came into effect on 25 May. Organizations are required to report violations to regulators and users within 72 hours.