Timehop is a smartphone app for iOS and Android users that was developed in 2011 with the idea of collecting old posts and photos of social media users including Facebook, Instagram, Dropbox and Twitter to display them as the same day in past years.
However, now the company is making headlines for all the wrong reasons. Yes, Timehop has suffered a massive data breach in which personal details of over 21 million users have been stolen. The stolen data includes names, email address and phone numbers – In total, over 4.7 million users had their phone numbers linked to their accounts.
Moreover, keys or access tokens that let the app go through and display social media posts to users have also been compromised. However, the company claims that financial data, private messages, photos and other social media content remained unaffected – For now, the Timehop has deactivated keys which means hackers can not access your social media accounts.
The details of the breach are troubling – According to Timehop’s technical analysis, attackers started targeting the company on December 19th, 2017 after breaching its Cloud computing servers and creating a new admin account (without two-factor authentication). The account was used twice by attackers in December to access the server, then once in March 2018 and once in June to have a last look at the data before stealing it on July 4th.
Now that the damage has been done, Timehop has decided to enable multifactor authentication for all accounts. The company is also in touch with law enforcement agencies and hired a cybersecurity threat intelligence company and a crisis communications firm.
“Account compromises can be mitigated, if not totally prevented when organizations put the right safeguards in place,” said Varun Badhwar, a cloud security expert and CEO & co-founder of RedLock.
“Unfortunately, as RedLock’s May 2018 Cloud Security Trends Report uncovered, 27% of organizations have experienced potential account compromises. When organizations embrace the shared responsibility model of cloud computing, which directs them to provide their own security ‘in’ the cloud, and when they adopt a cloud threat defense strategy, account compromises will largely become a thing of the past.”
This is the fourth data breach in the last couple of months. In June, DNA testing website MyHeritage suffered a data breach in which personal data of 92 million users was stolen. In June again, Flight tracking service Flightradar24 had its servers compromised when 230,000 of its user accounts were affected – In July, Adidas’s US website was hacked in which millions of customer data was stolen by hackers.