by Paul Ducklin for Naked Security by Sophos
Remember Timehop, the “digital nostalgia” app?
No, nor do we, but the company still has a database of about 21,000,000 users who have given the app permission to sift through their digital photos and social media posts – even if they no longer actively use Timehop service.
The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on. The app was briefly popular a few years ago before Facebook built a similar feature, known as On This Day, into its own social network. The good news is that a third-party app like Timehop can’t work without your permission.
The Timehop app has to be authorized by you and furnished with cryptographic keys (known in the jargon as access tokens), to get into the various online services from which you want it to scrape photos and posts.
Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn’t let crooks wander in and steal them.
The bad news is that Timehop just announced a data breach.
"On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible."
What Was Stolen?
Timehop says that the following information was stolen:
- Access tokens to your social media and online photo services. (All 21,000,000 users affected.)
- Any or all of your signup name, email address and phone number. (Not all users had all these fields filled in. For example, only 4.7 million users – fewer than a quarter – had handed over their phone numbers.)
Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done.
If you’re a Timehop user and you want the app to keep on working, you’ll have to reconnect it to the various services of your choice.
The company says there is no evidence that any of the stolen data has been used for criminal purposes, though of course any stolen email addresses and phone numbers could be abused in the future, dumped online for free, or sold on to other crooks in due course.
Fortunately, the crooks didn’t get any further:
"No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached."
As you can imagine, a service that scrapes your digital photos and old posts so it can replay them later will inevitably end up with a big stash of user data, but those databases, so far as we know at the moment, were not accessed by the crooks.
Just as in the Gentoo Linux breach we wrote about recently, this SNAFU seems to boil down to what you might call “cloud carelessness."
Timehop, it seems, had sysadmin accounts hosted on other people’s servers that weren’t locked down tightly enough:
"At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts."
If you remember the Gentoo Linux incident, which caused us to say that “Linux experts are crap at passwords,” you will see that history has repeated itself here.
In fact, the Timehop breach happened before the Gentoo one.
Even though the company refers repeatedly to 4 July 2018 in its breach notification, it has also published a more detailed analysis in which it admits that the crooks first got on 19 December 2017 (for three days), and then came back briefly in both March 2018 and June 2018 before the Fourth of July 2018 attack, when data is known to have been stolen.
Successful cyberattacks often turn out to have been brewing for some time – after all, it’s hard to know where to look, and what to look for, if you’re not aware that bad things have been happening in the first place.
What to do?
If you’re a service provider:
- Pick proper passwords. If you need help to choose and remember strong passwords, use a password manager.
- Insist on two-factor authentication. The inconvenience of putting in a one-time code every time you logon is enormously outweighed by the additional security your organization gets out of the deal.
- Look at your logs. There’t not much point in going to the trouble of keeping system logs if you aren’t going to use them until it’s too late.
If you’re a Timehop user:
Review any apps that have access to accounts such as Twitter, Facebook, Google Photos, and so forth. Revoke access to ay apps you aren’t actively using anymore.
Read the original online article at Naked Security.