Data Breach of the Month: Timehop

Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.


In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.


So without further ado, our breach of the month for July 2018 is… the user data breach at Timehop.


What Happened?

Timehop is a social media app that collects users’ old posts and photos and resurfaces them. On July 4th, an attacker stole personally identifiable information (PII) belonging to approximately 21 million Timehop users from a database in a cloud computing environment. The breached user information includes names, dates of birth, genders, phone numbers, email addresses, and tokens that maintain persistent access to social media accounts. Not every type of information was breached for each user.


Timehop promptly notified users and made a public advisory within days, but in their rush to inform users of what data had been compromised, Timehop’s initial announcement did not include the full extent of what had been breached, leaving out some of the data types. The company has been extremely transparent about how they initially missed this data, describing their response process in detail in an advisory on their website.


How did it Happen?

The incident was contained within a few hours of the data theft, but the attacker actually had access to the system for months. In December 2017, an admin’s user credentials were compromised and used to log into Timehop’s cloud environment. The attacker logged in occasionally over the next few months, creating an API access key that they used to conduct reconnaissance and scrape the information that was accessible. When a database containing user data was moved into that cloud environment, the attacker stole the data.


Timehop’s internal systems generated an alert within 40 minutes of the start of the breach. The attacker’s actions soon began causing outages for users of the Timehop app, and an engineer began investigating. The Timehop engineer quickly found the source of the problems and brought the application back online. However, they believed it was a maintenance issue at this point.


The next day, it was confirmed that a hack had occurred. Timehop revoked the compromised admin account’s access and began enforcing multi-factor authentication on all accounts. That same day, Timehop’s CEO hired a cyber incident response company and they began their investigation.


How to Minimize the Risk of this Type of Breach

Based on the detailed information they have made public, Timehop did a good job detecting the breach and acting quickly. Unfortunately, because the attacker was already so entrenched in their system, they were not able to prevent the data from being stolen. In their public report of the incident, Timehop says they brought in a cyber incident response company to conduct an investigation, suggesting that they did not have an in-house cyber incident response platform (IRP) or security, orchestration, automation, and response (SOAR) platform.


Having an in-house platform might have helped them in a couple of ways. First, the initial alert generated by the attacker’s activity would have likely been escalated to an incident report for further investigation. This scenario may or may not have led to the breach being discovered faster, but with a SOAR platform, the compromised user’s access could have been instantly disabled via automation. This may have made the difference between preventing the data theft and acting too late.


Timehop’s report also noted that a major piece of the investigation was sorting through a large amount of security data to make sense of what happened. Having an in-house platform could make this process easier by acting as a centralized repository for all incident data—including gathering data from other security systems via integrations—and providing tools to visualize the data in the form of timelines, graphs, and link analysis.


Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.