Published: Mon, July 09, 2018
Business | By Tara Barton

Personal information of Timehop users stolen by hackers

Personal information of Timehop users stolen by hackers

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

The good news is that it appears none of your social media posts or photos were obtained - the company deletes this data after you have viewed it. Timehops also says there is no evidence that the hackers gained access to any accounts.

Timehop users who are anxious the network intrusion and data breach might have impact their "Streak" - aka the number Timehop displays to denote how many consecutive days they have opened the app - are being reassured by the company that "we will ensure all Streaks remain unaffected by this event".

According to Timehop, "there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens".

The company said names, email address and some phone numbers were breached as well as encryption keys. "The breach occurred because an access credential to our cloud computing environment was compromised", the company's admitted. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.

Some data was breached.

The bad news is that Timehop just announced a data breach.

Kevin Anderson can beat Roger Federer, says Philipp Kohlschreiber
The blow appeared to suck the life out of Mannarino and he was broken in the next game before Federer served out for the match. The victor will face either Gael Monfils , another enigmatic Frenchman, or eighth seed Kevin Anderson .

Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn't let crooks wander in and steal them. Surprisingly, the account the attacker initially used to access the servers was not secured with two-factor authentication (i.e. when you need to authorize a login in a second way, typically with a code or app on your phone).

"If you have noticed any content not loading, it is because Timehop deactivated these proactively", the company writes.

The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure.

The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on.

Most of the data included user names and email addresses. We did this in an abundance of caution, to reset all the keys.

In fact, the Timehop breach happened before the Gentoo one. As an extra security measure, all accounts have been logged out. "As soon as the incident was recognized we began a program of security upgrades".

According to its preliminary investigation of the incident, the attacker first accessed Timehop's cloud environment in December - using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a USA holiday.

Like this: