Skip to main content

Timehop data breach may have compromised 21 million email addresses

Image used with permission by copyright holder

Names and email addresses of as many as 21 million Timehop users may have been compromised as a result of a data breach that occurred on July 4. Timehop, a service that aggregates old photos and posts from various social media accounts — including Facebook, Instagram, Twitter, Google Photos, and Dropbox — discovered the attack on its service as it was unfolding, but it took several hours for the company to contain the breach.

“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data,” the company revealed a few days following the breach. “At 2:43 pm U.S. Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 p.m., Timehop engineers had begun to implement security measures to restore services and lock down the environment.”

Recommended Videos

Timehop’s initial investigation revealed that no user content was compromised as a result of the breach. Engineers deactivated keys that linked Timehop’s service with other social media platforms as a response, so users will have to re-authenticate with those services. Still, in addition to names and email addresses, as many as 4.7 million phone numbers may have also been exposed as a result of the attack, TechCrunch reported.

“While we were confident that the access keys to those services had not been used, we felt that potential exposure of that content urgently justified a service interruption to ensure that attackers could not, for example, view personal photos,” the company said. “Through conversations with the information security, engineering, and communications staff at these providers, we were able to deactivate the keys and confirm that no photos had been compromised.” Timehop further noted that these tokens would not have given anyone access to private information, such as Facebook Messenger messages or Twitter Direct Messages.

According to the company, the first stage of the attack occurred on December 19, 2017 when an unauthorized user obtained the credentials of an administrative user to create a new administrative-level account. The attacker was able to do this because the original administrative account was not protected by multi-factor authentication, and Timehop has since taken steps to secure accounts to prevent another similar attack from happening. The attacker used the newly created administrative account to log into Timehop’s servers in March and June, with the attack taking place in July.

Although the attacker may have had access to some of your social posts on Facebook, Instagram, and Twitter, Timehop informed users that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts.” Despite the security breach, Timehop maintains that it found “no evidence that any accounts were accessed without authorization,” and it claims that because it pulls only the data that it needs for the service, it was able to minimize a potentially larger exposure.  Timehop has notified law enforcement about the breach and retained the services of a cybersecurity agency to monitor the dark web to ensure that user data doesn’t get leaked.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
We may have just seen the Meta Quest Pro, and it looks super sleek
A hand holds a white Meta Quest Pro box with an iimage of the headset on the front

Meta is expected to launch a "Meta Quest Pro" VR set sometime this year, and the first images of this mythical device may have just surfaced online.

The Verge reported on a prototype of the top-secret headset left behind in a hotel room and subsequently discovered by Facebook Gaming personality Ramiro Cardenas, aka Zectariuz Gaming.

Read more
Chrome extensions with 1.4M users may have stolen your data
Google Chrome icon in mac dock.

McAfee researchers have discovered various Google Chrome extensions that steal browsing activity, with the add-ons racking up more than a million downloads.

As reported by Bleeping Computer, threat analysts at the digital security company have come across a total of five such malicious extensions.

Read more
This Twitter vulnerability may have revealed owners of burner accounts
Twitter app on the OnePlus 10T.

Twitter recently announced the existence of a security vulnerability that poses a particular risk for anonymous and pseudonymous Twitter accounts.

On Friday, the popular social media platform published a blog statement describing the nature of the security vulnerability, which, if exploited, could let someone send contact information (phone numbers, email addresses) to Twitter's systems, which would then "tell the person what Twitter account the submitted email addresses or phone number are associated with, if any." Essentially, with this bug, if you had someone's contact information, you could use it to figure out which accounts on Twitter were theirs.

Read more