Time Machine backup disk stolen from luggage... how big of a risk is this?

InfoTime

macrumors 6502
Original poster
Jul 17, 2002
443
202
Time Machine backup disk stolen from luggage... how big of a risk is this?

This happened to a customer of mine. It was not an encrypted backup. She didn't have any Word docs called "Passwords for all my sites" or anything stupid like that. Nor did she have spreadsheets with financial account numbers or anything sensitive.

Main concern might be gaining access to her Yahoo mail or logging into a financial institution's website. As far as I know a restored Time Machine backup won't retain passwords or sessions. If there is any risk it would require the skill of a computer forensics expert to do any damage. Right?

But, within the same week her credit card was breached and her bank had her set up new security questions, security picture and new password. I'm having trouble connecting the two.

Coincidence or not?
 

throAU

macrumors 603
Feb 13, 2012
5,284
2,275
Perth, Western Australia
If the backup was not encrypted then i'd suggest she change all her passwords. I thought that saved passwords would be saved/restored from TM backup? It's been a while.

Anything saved in the browser will be accessible if an attacker was to restore the TM backup to a machine and then go through the browser history and attempt to go to sites she had passwords saved and set to stay logged in to.

I'd strongly suggest to her that she assume that anything that was saved in her browser is compromised and act accordingly. Better to be safe than sorry, etc.
 

richard2

macrumors regular
Oct 21, 2010
236
50
England, United Kingdom
Safari's cookies and site credentials are both included in Time Machine backups:

  • Cookies are stored in the file ~/Library/Cookies/Cookies.binarycookies, which isn't encrypted.
  • Site credentials are stored in the keychain, which is encrypted.

As throAU has already stated, your client should assume that any open sessions in her web browser have been compromised. If she used a weak keychain password, then she should also assume that the contents of her keychain has been compromised. I'd recommend that she immediately change all of the passwords for her most sensitive accounts (such as e-mail).

Which web browser does your client use?
 
Last edited:
  • Like
Reactions: throAU

InfoTime

macrumors 6502
Original poster
Jul 17, 2002
443
202
Pretty sure it's just Safari. She is on an old OS, 10.7, which I'm going to upgrade next week for her. Also, for mail she just uses web-based Yahoo.

Other than access to email (which might allow for password resets on other sites) I'm having a hard time imagining the risks for financial sites - my banks log me out after about 5 minutes of inactivity.
[doublepost=1462558896][/doublepost]Good news: the drive wasn't lost or stolen. She had someone check her other home and it turns out it was sitting right there.

Feel free to continue the conversation though....
 

throAU

macrumors 603
Feb 13, 2012
5,284
2,275
Perth, Western Australia
Pretty sure it's just Safari. She is on an old OS, 10.7, which I'm going to upgrade next week for her. Also, for mail she just uses web-based Yahoo.

Other than access to email (which might allow for password resets on other sites) I'm having a hard time imagining the risks for financial sites - my banks log me out after about 5 minutes of inactivity.
[doublepost=1462558896][/doublepost]Good news: the drive wasn't lost or stolen. She had someone check her other home and it turns out it was sitting right there.

Feel free to continue the conversation though....
Well, unless she's using a password manager, obtaining the other passwords (and other personal information) may help an attacker guess the banking password(s). Will also potentially enable an attacker to ring the bank and get a password reset - most of the identifying questions the banks use are things like "what's your mother's name", "what's your date of birth", etc. which are pretty much easily obtained from most people's computer or email. Or Facebook, or whatever may have an open session on the internet.

So yeah, encrypting TM backups is a good idea.

As is running a password manager.

  1. because your passwords will be stronger
  2. because you don't need to remember them anyway, changing them is not as much of a hassle - you don't need to spend time re-memorizing them