UPDATED 23:20 EDT / JULY 09 2018

INFRA

Here’s what you need to know about the Timehop data breach

Timehop, both an app and a company that was big on Facebook until the social network copied its features via its own “On This Day” service in 2015, has been hacked.

Data relating to 21 million users was stolen. It consisted of names and email addresses of its users, with 4.7 million records including phone numbers as well. No social media posts and photos that Timehop displays were accessed, nor was any messages or financial data stolen.

The theft itself took place on July 4 – likely due to the fact that it was a public holiday with the hacker having first gained access to Timehop’s network in December. The hack was promptly discovered and Timehop Inc. managed to cut off access two hours and 19 minutes after the hack began, but only after the data had been stolen.

James Lerud, head of behavioral research team at Verodin Inc., told SiliconANGLE that Timehop should be commended for their transparency and handling of this situation so far.

“They were able to begin remediation actions about two hours after detecting malicious activity, which is a very good response time,” he said. “Their decision to deactivate access tokens is the right move, but should also serve as a reminder to regularly review what apps have access to your social media accounts.”

On the negative side, he added, “the first unauthorized login took place over seven months ago. This could indicate that the password had not been changed in over six months. They also did not have two-factor authentication enabled for all of their accounts, something they have since fixed.”

All in all, he said, “this incident should serve as a reminder that there is always room to improve security. Mature security shops need to practice how they play; knowing where your security stands through repeatable exercises with empiric results can help expose where controls are lacking.”

Jeannie Warner, security manager at WhiteHat Security Inc., agreed, calling the breach a wakeup call.

“Applications like Timehop, which acquire explicit access to your personal information, social media connections and posts — both public and private — may not have strong intrinsic security,” she said. “In the case of Timehop, its cloud servers weren’t even protected by multifactor authentication, which should be a default at this point.”

Warner also called for quick action on applying patches to applications – “not months after they become available.” Moreover, they should make security testing a part of the entire lifecycle of an application. “Users can review which apps have what level of access through social media apps’ setting and privacy tools and adjust accordingly.”

Zack Allen, director of threat operations at ZeroFOX Inc., said that the incident demonstrates the importance of security hygiene of not only users and social networks, but also third-party apps that improve the experience of these networks.

“Timehop did a fantastic job of giving a breakdown on how they detected the intrusion, what their playbook was in terms of how they responded to it, as well as action items and next steps on how they are preventing this from happening in the future,” he said. “The harrowing fact isn’t so much that Timehop got breached, but that there are a myriad of other apps out on the web that do not have the technical capability to prevent, detect, respond or recover from breaches like Timehop did.”

Fred Kneip, chief executive officer at CyberGRX Inc., considered the broader picture, noting that with social media sites such as Facebook already under fire for data security and privacy, “this breach demonstrates that, even if internal policies and procedures are squared away, social media platforms still have to ensure that partners like Timehop have the proper security controls in place to safeguard users’ data.”

Image: Timehop

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.