Facebook and Instagram’s Timehop App Recently Attacked
A data breach recently struck the extremely popular social media platforms of Facebook and Instagram using the add-on application “Timehop,” reportedly impacting as many as 21 million users.
Timehop, a time capsule app used all across the world, was hacked on the 4th of July and exposed the personal data of millions using Facebook, Instagram, or Twitter.
A statement released by Timehop on July 8, 2018, says, “On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.”
The hacking attack is supposed to have exposed personal data- names, email addresses etc- of the whole user base of Timehop. About 22% of the users (4.7 million users) also had telephone numbers attached to their accounts.
Timehop has made it clear that the breach hasn’t affected private/direct messages, financial data, or social media or photo content. It has also not affected Timehop data including streaks or the “memories”- the social media posts & photos that Timehop stores.
Timehop works by plugging into social media accounts-Facebook, Instagram etc_ and then bringing up posts from the past. The hackers behind the breach were reportedly able to grab the keys and tokens that Timehop uses to access and display social media memories.
The Timehop statement says- “Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. We have deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.”
It further adds, “We have no evidence that any accounts were accessed without authorization.” To reset all the keys, for the sake of caution, users have also been logged out of the app.
The Timehop statement explains how the hacking attack was detected- “At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts…The attack was detected, and two hours and nineteen minutes later – at 4:23 PM that same day – our engineers locked out the attackers”.
Timehop has also published a technical report, which explains the hack in detail; it says- “On December 19, 2017 an authorized administrative user’s credentials were used by an unauthorized user to log into our Cloud Computing Provider. This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment. For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorized user logged in again and continued to conduct reconnaissance.”
The technical report further says- “On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data. At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 PM, Timehop engineers had begun to implement security measures to restore services and lock down the environment.”
There is no evidence that the breached data has been used. Investigations are on and Timehop has enabled multi-factor authentication on those accounts that didn’t have it for cloud-based services.
In addition to making it clear that there are no reports or confirmation of unauthorized access of user data through the use of the breached access tokens, Timehop clarifies that the tokens do not give anyone access to any personal messages. The Timehop blog post says- “we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile.”
The compromised access tokens have all been deauthorized, and are no longer valid.
Julia Sowells467 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.