Timehop hacker hid in plain sight for eight months
Yesterday we brought you news that nostalgia app Timehop had been breached by an unauthorised person.
According to the firm it suffered a breach on 4th July but in a recent it update it appears the bad actor had been on Timehop’s network since December 2017.
“On December 19, 2017 an authorised administrative user’s credentials were used by an unauthorised user to log into our Cloud Computing Provider. This unauthorised user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment,” writes Timehop.
You read that correctly, the hacker stole credentials and then created their own administrator account which they used to log into Timehop’s cloud infrastructure. That’s about as “in plain sight” as you can get and slams home the message that firms need to be more mindful of who has administrator access.
From there the firm fast forwards to March 2018 where the hacker logged into the system again, presumably to conduct more reconnaissance as there was no personal data of users in the cloud environment at the time.
However, in April 2018 Timehop migrated a database that contained personally identifiable information into the cloud environment. The hacker logged in on 22nd June 2018, saw the database, and presumably began siphoning off data. On 4th July the database was stolen and on 5th July Timehop locked down its systems
Yesterday we reported that the data that was stolen included names, email addresses, and some phone numbers but Timehop now reports that dates of birth, gender of users, and country codes for phone numbers were stolen. In total some 21 million users are affected by this breach.
|Type of Personal Data Combination||# of Breached Records||# of Breached GDPR Records|
|Name, email, phone, DOB||3.3 million||174,000|
|Name, email address, phone||3.4 million||181,000|
|Name, email address, DOB||13.6 million||2.2 million|
|Name, phone number, DOB||3.6 million||189,000|
|Name and email address||18.6 million||2.9 million|
|Name and phone number||3.7 million||198,000|
|Name and DOB||14.8 million||2.5 million|
|Name total||20.4 million||3.8 million|
|DOB total||15.5 million||2.6 million|
|Email addresses total||18.6 million||2.9 million|
|Gender designation total||9.2 million||2.6 million|
|Phone numbers total||4.9 million||243,000|
“We recognize this second disclosure creates the sensation that we are releasing information slowly, in a “drip drip” fashion, to mitigate the potential fallout. We can only assure you that this is not the case. If anything, we are deeply embarrassed to have to make this secondary disclosure,” wrote Timehop in an update to the hack, “We are deeply sorry for this secondary disclosure.”
As sorry as the firm is it’s unlikely that those tasked with enforcing GDPR will let this slide. It will be interesting to see what European authorities do about Timehop’s hack if anything. That having been said Facebook was just handed a £500 000 fine for failing to to safeguard the information of its users before GDPR was in effect.
[Image – CC 0 Pixabay]