Timehop Reveals Additional Data Compromised by HackerExposed Data Includes Victims' Birthdates, Genders, Country Codes and IP Addresses
Timehop, the social media app that resurfaces older social media posts for entertainment, says its ongoing data breach investigation has revealed that attackers may have compromised more personal information than it previously suspected.
The New York-based company released a detailed breakdown of the number of users affected by varying combinations of lost data. As part of what it says is an effort to be fully transparent, it also described the entire schema of the database that was compromised.
The new classes of data that Timehop says were exposed include genders, birthdates, country codes and IP addresses.
"In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything."
Timehop defended its initial public communications around the breach in which it said 21 million users were affected, with the exposed data including names, email addresses, access tokens and in some cases, phone numbers (see Timehop: Lack of Multifactor Login Controls Led to Breach).
The company says it "messed up" its initial disclosure, saying that in its "enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything" (see Data Breach Notifications: What's Optimal Timing?).
"We recognize this second disclosure creates the sensation that we are releasing information slowly, in a 'drip drip' fashion, to mitigate the potential fallout," Timehop says in an update on its website. "We can only assure you that this is not the case. If anything, we are deeply embarrassed to have to make this secondary disclosure."
Breach Duration: Seven Months or More
Timehop says it detected the attack on July 4 after an alert revealed that data was being transferred out of a production database.
But the intruder had been in Timehop's systems for at least seven months - since at least December 2017. Around that time, someone logged into Timehop's cloud services provider using valid credentials for an account administrator.
Timehop says it was not using multifactor authentication to protect the administrator's account.
The intruder created a new administrator account and began looking around the company's systems. Timehop says it found the intruder logged in on one day in March and another day in June.
Following its detection of the breach, Timehop says it has now conducted a thorough review of access control and implemented multifactor authentication where possible. A table from Timehop shows the scope of how many people were affected and what kinds of data were compromised.
One of the new types of potentially exposed data includes IP addresses, Timehop says.
"Due to the manner in which log queries work with our cloud provider, we will never be able to say with 100 percent certainty that the intruders did not access IP addresses," the company says. "Therefore, we are giving notification, now, that your IP address may have been compromised."
It also posted the entire data scheme of the database that was compromised so users know exactly what was in in it.
"People have asked us whether more personally identifiable information will come out, and if we say no, how they can know," Timehop says. "Rather than simply assure you, we are taking the transparent step of simply posting publicly the entirety of the schema of the table that contained personally identifiable information, so you can see for yourself what was taken."
Data Likely Destined for Dark Web
There was one category of data released that Timehop says occupied much of its time when it discovered it had been breached: access tokens. That's, in part, why the company missed the additional data that was exposed.
When individuals use Timehop, they give it authorization to maintain persistent access to social media accounts such as Facebook, Twitter, Instagram, Google and Dropbox.
Timehop is then granted an access token. When it discovered that those tokens were exposed, one of its top three priorities was to de-authorize the keys for those tokens, which it did.
There was a short window of time when the tokens could have been used before they were invalidated. But Timehop says there's no evidence that occurred.
The access tokens had limited access. A token would allow someone to view posts on a person's social media account, but did not allow access to private messages, Timehop said.
The company has notified regulators in Europe about the breach, as is required by the General Data Protection Regulation, which has been enforced since May 25. Under the regulation, organizations must report breaches to relevant authorities within 72 hours of learning about them.
Timehop has said it also notified U.S. federal law enforcement and hired incident response and threat intelligence contractors and a crisis communications firm.
The threat intelligence company is now monitoring whether the stolen data has been used in the wild, Timehop says. The company predicts that there is "a high likelihood that they soon will appear in forums and be included in lists that circulate on the internet and the dark web."