Timehop hacker hid in plain sight for eight months

Share on facebook
Share on twitter
Share on linkedin
Share on email

Yesterday we brought you news that nostalgia app Timehop had been breached by an unauthorised person.

According to the firm it suffered a breach on 4th July but in a recent it update it appears the bad actor had been on Timehop’s network since December 2017.

“On December 19, 2017 an authorised administrative user’s credentials were used by an unauthorised user to log into our Cloud Computing Provider. This unauthorised user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment,” writes Timehop.

You read that correctly, the hacker stole credentials and then created their own administrator account which they used to log into Timehop’s cloud infrastructure. That’s about as “in plain sight” as you can get and slams home the message that firms need to be more mindful of who has administrator access.

From there the firm fast forwards to March 2018 where the hacker logged into the system again, presumably to conduct more reconnaissance as there was no personal data of users in the cloud environment at the time.

However, in April 2018 Timehop migrated a database that contained personally identifiable information into the cloud environment. The hacker logged in on 22nd June 2018, saw the database, and presumably began siphoning off data. On 4th July the database was stolen and on 5th July Timehop locked down its systems

Yesterday we reported that the data that was stolen included names, email addresses, and some phone numbers but Timehop now reports that dates of birth, gender of users, and country codes for phone numbers were stolen. In total some 21 million users are affected by this breach.

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

“We recognize this second disclosure creates the sensation that we are releasing information slowly, in a “drip drip” fashion, to mitigate the potential fallout. We can only assure you that this is not the case. If anything, we are deeply embarrassed to have to make this secondary disclosure,” wrote Timehop in an update to the hack, “We are deeply sorry for this secondary disclosure.”

As sorry as the firm is it’s unlikely that those tasked with enforcing GDPR will let this slide. It will be interesting to see what European authorities do about Timehop’s hack if anything. That having been said Facebook was just handed a £500 000 fine for failing to to safeguard the information of its users before GDPR was in effect.


[Image – CC 0 Pixabay]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.