Horror Stories: Timehop’s MFA Mishap

by Sarah Harvey / October 16th, 2018

On July 4, 2018, Timehop, a self-proclaimed “daily nostalgia product,” discovered a data breach where up to 21 million users were impacted. Timehop is a memory-sharing app, enabling users to distribute posts from the past; Timehop connects to users’ social networks and photo storage apps – Twitter, Instagram, Facebook, Dropbox, Google Photos, iCloud, etc. For them, this breach was a nightmare because of the nature of their services. When users saw the headlines about Timehop’s breach, I’m guessing the first thing that went through their mind was, “Are my social media accounts compromised?” This assumption, which led to user frenzy, was Timehop’s first obstacle. The company had to overcome this false narrative by being incredibly clear about what kind of data was breached.

Timehop’s MFA Policy: What Happened?

From the security incident and technical reports published by Timehop, we actually know a lot of details about this breach and the incident response plan. Timehop came straight out and admitted that the breach was due to a lack of appropriate MFA on access credentials, which resulted in network intrusion. Obviously many details of the incident couldn’t be released for security reasons, but Timehop did provide the public with a timeline of the event.

December 19-21, 2017: An unauthorized user used a legitimate employee’s credentials to access Timehop’s cloud computing environment and perform cyber reconnaissance.
April 4, 2018: The legitimate employee migrated user data into the database, generating the data that would become the target of the attack. Until this date, no PII was accessible to the attackers.
June 22, 2018: The unauthorized user discovered the user data, including PII.
July 4, 2018: The unauthorized user logs in and the attack occurs. Timehop’s internal alerting tools reported that the service was down, and Timehop engineers worked to restart services.
July 5, 2018: Timehop engineers began their investigation and declared that an incident had occurred when they recognized suspicious patterns. They immediately collected evidence, implemented MFA policies, secured the cloud computing environment, and then contacted law enforcement, Timehop’s Board of Directors, and the incident response team.

Fortunately for Timehop, the connection to users’ social networks was not compromised. They reported, “No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected. To reiterate: none of your ‘memories’ – the social media posts & photos that Timehop stores – were accessed.” The PII breached was fairly typical from that of most breaches these days – email address, dates of birth, name, gender, etc.

Lessons Learned from Timehop

Because of Timehop’s connection to users’ social networks, the company had to be very clear about what types of information were breached. In their security incident report, Timehop goes above and beyond the norm in order to be as transparent as possible. They state, “We commit to transparency about this incident, and this document is part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again.” We believe that because GDPR was in effect at the time of this breach, it greatly impacted the level of detail they provided to users.

Please read this important update with additional information on our July 4th security incident. Emails to every user are being sent out as well. https://t.co/s82imGuZpe

— Timehop (@timehop) July 11, 2018

Timehop had an exemplary incident response approach. Within 2 hours of discovering the network intrusion, Timehop engineers responded to the event. From our standpoint, their incident response plan seemed to work as intended. Their plan included providing the public with access to the following:

Easy-to-understand information about the incident
A full timeline of the attack
Detailed information about the types of PII that were breached, including a distinction between breached data and breached GDPR data
A glossary of terms used in the reports
Answers to frequently asked questions
A technical report for those interested in technical details of the incident
Next steps for users to take

During the weeks after the incident, you couldn’t go to Timehop’s website without learning about the breach. Their social media announced the incident, plus the company dedicated a permanent landing page to host the information listed above. Timehop’s incident response approach has been extremely transparent and accessible, one of the most thorough that we’ve seen.

If your organization was breached, what would the headlines say about your incident response plan? Does your plan provide users or clients with accessible information about their data? Would you go above and beyond to be honest about the incident?