July 17, 2018//Ellen Neveux
Another day, another data breach. This time the victim was the well-known mobile app, Timehop. During the first week of July 2018, Timehop announced that bad actors had not only attacked their network but that these hackers had actually been in the network since December 2017. Let’s take a deeper look into the Timehop breach and how it illuminates the importance of implementing multi-factor authentication for network security.
What is Timehop?
Timehop is a mobile application that connects itself to other social media platforms and mines it for information. For example, a user can connect Facebook, Twitter, Google Photos, and more to see what happened in the past on the same day; if a user shared something on the same day in the past to any of the connected platforms, it will show up on the Timehop app as a “memory”. In order to access these different social accounts, a user must log into each unique account and authorize that Timehop can access it. Timehop then gets an authorized access token that allows it persistent access, so a user has to log in just the one time to continue to get access to the connected accounts. Although this sounds easy and wonderful for the user, it ultimately led to Timehop’s cyberattack.
Breaking down the breach
The breach occurred because an attacker accessed credentials for an administrator account, which they then used to log into Timehop’s cloud service provider. According to Bank Info Security, an attacker compromised this cloud service account that is associated with Timehop. This route was easy for the attackers since the cloud services account didn’t have multi-factor authentication enabled; in other words, the hacker didn’t have many hoops to jump through to get to PII. Once in, the attacker created a new administrator account and began their reconnaissance.
Since Timehop has found out about the breach, they have reported that over 21 million users are affected. Of those 21 million, different available information to the hackers has been compromised. According to Timehop’s website, what has been compromised includes names, email addresses, access tokens, phone numbers, gender, date of birth, and country code. For users, all they can do now is log in and get a new token to connect accounts while making sure to keep an eye on their different (e.g. bank) accounts. According to Motherboard, leaked phone numbers can lead to massive headaches for users since many connect their phone numbers as a way to reset passwords to numerous accounts. If a hacker knows your phone number, they can easily get into other accounts.
Once Timehop found out about the breach, they immediately notified US federal law enforcement and European regulators since the GDPR requires breached organizations, within reason, report it within 72 hours. Timehop says that they are taking the following steps to improve their cybersecurity strategy:
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.