Timehop Service Suffers Data Breach Affecting 21 Million Users [Updated]

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,713
10,127



The company behind social media app Timehop has revealed its servers suffered a data breach in which the personal details of around 21 million users were stolen.

The company, whose service integrates with users' social media accounts to display photos and memories they may have forgotten about, said it became aware of the attack as it was happening in the early hours of July 4.

In a statement published on Saturday, the company said it was able to shut down its cloud servers two hours and twenty minutes into the attack, but not before a significant number of users' data was stolen.

Hackers made off with the names and emails of 21 million users and the phone numbers of 4.7 million users, but no private/direct messages, financial data, social media, photo content, or Timehop data including streaks were affected, according to the company.

However, the keys that enable the service to read and send social media content to users were compromised in the breach. Timehop has deactivated the keys as a security measure, but that means users will need to re-enable the app's permission to access their accounts if they want to continue using the service.
While we investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens.

Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened.
Notably, Timehop admitted that prior to the breach, the account login process on the compromised cloud server was not protected by multi-factor authentication.

Multi-factor authentication protocols are often used by companies handling large customer databases because they provide hardened security during login attempts by requesting that the user provides extra information only they would know.

The company said it had now reset all its passwords and added multi-factor authentication to all its cloud server accounts, and would continue to work with local and federal law enforcement officials to investigate the incident further.

Update 7/11: Timehop has disclosed that more user information was compromised in the same data breach, including date of birth and gender.

Article Link: Timehop Service Suffers Data Breach Affecting 21 Million Users [Updated]
 

KPandian1

macrumors 65816
Oct 22, 2013
1,493
2,428
It is not enough that so much personal data is given up by people on Facebook and other social media, they actually fall for a company that "puts it all together" with a selling slogan "Sharing Is Caring!"?

Love the fact that it is "local".
 
  • Like
Reactions: FunnelDog

H3LL5P4WN

macrumors 68030
Jun 19, 2010
2,582
2,865
Pittsburgh PA
I shouldn't care, but I'm laughing myself into a hemorrhage over this.

I told my ex (and her BFF, and I think also his BF) numerous times to turn that garbage off, especially since Failbook and Google Photos have this exact feature built in (and since they're all millennials, FB and Snapchat are all they use).

I do feel bad that 21 million people had to suffer due to this particular posterior bite from Karma, however.
 
Last edited:

riverfreak

macrumors 65816
Jan 10, 2005
1,367
1,525
Over the Reignbough
Amazeballs on so many levels. Storing user data unencrypted. They hadn’t been bothered to add MFA before but were able to do so in just a couple of days AFTER the breach. And the attackers got access to auth tokens.

Here’s some lessons kids. Don’t use the login with Facebook feature. Ever. The two seconds of convenience you’ll save just makes Facebooks data collection even more pervasive and pernicious.

Consider whether you really *need* any of these services. Consider whether you should really be connecting anything to social media accounts. Finally go to Facebook right now and try to understand the bizarro privacy settings. Download your data. Check out apps you’ve connected and delete ones you don’t use, recognize, or remember. And consider disabling the “Facebook Platform” option altogether.
 

nburwell

macrumors 601
May 6, 2008
4,809
1,745
DE
You know you’re old when 21 million people use something you’ve never even heard of.
I honestly didn't know it was a service/app probably until last year when my friend's wife would constantly post stuff that would show up on my FB newsfeed from Timehop.
 

Morgenland

macrumors 6502a
May 28, 2009
787
764
Europe
Who has the money, who has the interest to successfully start hacks on all "social media"?!

Boring, same old scam (yahoo, FB...):

1. scare your social media users with evil hackers
2. offer them "multi-factor authentication" for advanced security "option" to elicit their mobile phone number or CC number.

In this way, the participants are "voluntarily" brought to throwing overboard personal freedom and privacy/anonymity.

I love that everyone's doing it! Modern Middle Ages...
 
Last edited:

stoopkidblues

macrumors 6502
Mar 21, 2014
379
232
What I’m interested in knowing is if when you disabled/unlinked the account via Facebook (i.e. logged in with Facebook but deleted/removed that access) how much information Timehop still had/has access to.
 

doctor-don

macrumors 68000
Dec 26, 2008
1,579
317
Georgia USA
Amazeballs on so many levels. Storing user data unencrypted. They hadn’t been bothered to add MFA before but were able to do so in just a couple of days AFTER the breach. And the attackers got access to auth tokens.

Here’s some lessons kids. Don’t use the login with Facebook feature. Ever. The two seconds of convenience you’ll save just makes Facebooks data collection even more pervasive and pernicious.

Consider whether you really *need* any of these services. Consider whether you should really be connecting anything to social media accounts. Finally go to Facebook right now and try to understand the bizarro privacy settings. Download your data. Check out apps you’ve connected and delete ones you don’t use, recognize, or remember. And consider disabling the “Facebook Platform” option altogether.
What is this login with Facebook feature to which you refer? What is Facebook?
 

fairuz

macrumors 68020
Aug 27, 2017
2,475
2,552
Silicon Valley
Amazeballs on so many levels. Storing user data unencrypted. They hadn’t been bothered to add MFA before but were able to do so in just a couple of days AFTER the breach. And the attackers got access to auth tokens.

Here’s some lessons kids. Don’t use the login with Facebook feature. Ever. The two seconds of convenience you’ll save just makes Facebooks data collection even more pervasive and pernicious.

Consider whether you really *need* any of these services. Consider whether you should really be connecting anything to social media accounts. Finally go to Facebook right now and try to understand the bizarro privacy settings. Download your data. Check out apps you’ve connected and delete ones you don’t use, recognize, or remember. And consider disabling the “Facebook Platform” option altogether.
Facebook login often times does nothing but let a site authenticate you. It's a good way to prove your identity to a site without giving them anything else like your email. Sites that request permissions beyond that, that's a different story. If you'd rather not risk it and also be able to blindly accept permissions requests, you can use a fake FB account with no identifying info, only for login, like I do.

Also, maybe the data was encrypted in the DB but with keys the company holds. Some things like [edit: originally mistyped "credit cards," meant "email addresses"] and phone numbers might be impossible to encrypt with a user-held key.
[doublepost=1531175846][/doublepost]
You know you’re old when 21 million people use something you’ve never even heard of.
I'm 22 and have never heard of it. My friends use social media too, and I used to. Could just be regional.
 
Last edited:

You are the One

macrumors 6502a
Dec 25, 2014
594
751
In the present
I shouldn't care, but I'm laughing myself into a hemorrhage over this. I told my ex (and her BFF, and I think also his BF)
I'd like to look at it the other way around. The principle, buyer be ware, is what de facto counts when it comes down to it. Goes for your marriage as well as using internet services. If basic security protocols are not in place. Consider something else. And if you have no idea what you are getting into, consider a backup plan.

Combine greedy unethical service providers with trusting (ignorant and gullible) users and that's the current situation.

>I told my ex (and her BFF, and I think also his BF)

This one just doesn't compute to me. I guess you mean her BF.

You know you’re old when 21 million people use something you’ve never even heard of.
I'm 22 and have never heard of it. My friends use social media too, and I used to. Could just be regional.
[doublepost=1531210381][/doublepost]
Is there a forum / wiki with a master list of breaches like this one?
Here is one buddy. Or what I assume you actually ask for. *already posted

https://haveibeenpwned.com
 
Last edited:
  • Like
Reactions: FunnelDog

H3LL5P4WN

macrumors 68030
Jun 19, 2010
2,582
2,865
Pittsburgh PA
>I told my ex (and her BFF, and I think also his BF)

This one just doesn't compute to me. I guess you mean her BF.
lol, my ex's best friend forever, (whom she would have probably left me for, if it weren't for the fact that) he is gay and has a boyfriend. Ergo the use of BFF and BF.

Either way they're just android plebs, no matter how smart they like to think they are.
 
  • Like
Reactions: You are the One

KSGLAW

macrumors newbie
Jul 11, 2018
1
0



The company behind social media app Timehop has revealed its servers suffered a data breach in which the personal details of around 21 million users were stolen.

The company, whose service integrates with users' social media accounts to display photos and memories they may have forgotten about, said it became aware of the attack as it was happening in the early hours of July 4.

In a statement published on Saturday, the company said it was able to shut down its cloud servers two hours and twenty minutes into the attack, but not before a significant number of users' data was stolen.

Hackers made off with the names and emails of 21 million users and the phone numbers of 4.7 million users, but no private/direct messages, financial data, social media, photo content, or Timehop data including streaks were affected, according to the company.

However, the keys that enable the service to read and send social media content to users were compromised in the breach. Timehop has deactivated the keys as a security measure, but that means users will need to re-enable the app's permission to access their accounts if they want to continue using the service.
Notably, Timehop admitted that prior to the breach, the account login process on the compromised cloud server was not protected by multi-factor authentication.

Multi-factor authentication protocols are often used by companies handling large customer databases because they provide hardened security during login attempts by requesting that the user provides extra information only they would know.

The company said it had now reset all its passwords and added multi-factor authentication to all its cloud server accounts, and would continue to work with local and federal law enforcement officials to investigate the incident further.

Update 7/11: Timehop has disclosed that more user information was compromised in the same data breach, including date of birth and gender.

Article Link: Timehop Service Suffers Data Breach Affecting 21 Million Users [Updated]
[doublepost=1531323960][/doublepost]Kohn, Swift & Graf, a Philadelphia-based law firm which handles class action cases nationwide, is investigating claims for a class action law suit against the app, Timehop, for its alleged data breach. We are gathering information about peoples’ experiences. If you or someone know has used Timehop before, please send your complaints to info@kohnswift.com. All consultations with our firm are free of charge. If we do file a lawsuit, you will not be charged any money for our services. We get paid only if we achieve a successful result.


More details about our investigation can be found on our website: https://kohnswift.com/2018/07/10/timehop-data-breach-investigation/.


To ensure compliance with applicable rules of professional conduct, please note that this post might be construed as Attorney Advertising. Thank you, and we look forward to hearing from you.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.