Information on Timehop’s Recent Security Incident
On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.
First off, we would like to unequivocally apologize to our users for this incident. We commit to continued transparency about this incident, and this document part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again.
• Some data was breached. These include names, email addresses, dates of birth, gender of users, country and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
• To reiterate: none of your “memories” – the social media posts & photos that Timehop stores – were accessed.
• We are providing the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records. These are to be considered separately of one another – these are not additive. The total number of breached records was approximately 21 million.
• Type of Personal Data Combination
• # of Breached Records
• # of Breached GDPR Records
• Name, email, phone, DOB
• 3.3 million
• Name, email address, phone
• 3.4 million
• Name, email address, DOB
• 13.6 million
• 2.2 million
• Name, phone number, DOB
• 3.6 million
• Name and email address
• 18.6 million
• 2.9 million
• Name and phone number
• 3.7 million
• Name and DOB
• 14.8 million
• 2.5 million
• Name total
• 20.4 million
• 3.8 million
• DOB total
• 15.5 million
• 2.6 million
• Email addresses total
• 18.6 million
• 2.9 million
• Gender designation total
• 9.2 million
• 2.6 million
• Phone numbers total
• 4.9 million
• Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. These keys were deauthorized by Timehop acting in concert with its social media provider partners by Sunday, July 8, at 3:30 pm Eastern Time. Timehop did not report the breach, which it discovered on July 5, 2018, to its users until after it was certain that the keys had been deauthorized and our social media provider partners had reported that they had not observed any suspicious activity. Timehop did this to ensure that it did not enable attacks by going public, which could encourage the attackers to move quickly to exploit their stolen data.
• These keys can no longer be used by anyone – so users must re-authenticate to our App.
• If you have noticed any content not loading, it is because Timehop deauthorized these proactively.
• We have no evidence that any accounts on our social media partner providers were accessed without authorization.
• We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.
• You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.
• The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. We don’t store copies of your social media profiles. We separate user information from social media content – and we delete our copies of your “Memories” after you’ve seen them.Timehop has never stored your credit card or any financial data, location data.
• We do not store IP addresses for advertising or tracking purposes. We do log IP addresses for network audit purposes as disclosed in our Terms of Service. The servers that we run, like all web servers, log incoming traffic information, including IP addresses. At the scale at which Timehop operates, the servers generate millions of log lines. While we continue to investigate, at this time we have no indication that any of these were disclosed. Due to the manner in which log queries work with our cloud provider, we will never be able to say with 100% certainty that the intruders did not access IP addresses. Therefore, we are giving notification, now, that your IP address may have been compromised.
WHAT IS NEXT FOR USERS?
Because we have invalidated all API credentials, if you have not already done so, you will be asked to log in again to Timehop and re-authenticate each service you wish to use with Timehop. This will generate a new, secure token. As we mentioned, if you have noticed any content not loading, it is because we deauthorized these tokens proactively. Additionally, user streaks have been frozen and maintained for the time being.
Phone Number Security
If you used a phone number for login, then Timehop would have had your phone number. Please note that phone numbers also include country code. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.
If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.
If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.
For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.
At 2:04 PM US Eastern Time on the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.
The attack was detected, and two hours and nineteen minutes later – at 4:23 PM that same day – our engineers locked out the attackers (for a more complete technical description of the attack, please see this post). We have now updated our security to alert on the kinds of activities that were conducted.
While we continue to investigate, we have confirmed that this intrusion led to a breach of some data:
• Names, email addresses, dates of birth, gender, country and phone numbers belonging to our customers have been compromised.
• Additionally, “access tokens” provided to Timehop by our social media providers were taken. These tokens could allow a malicious actor to view without permission some of your social media posts. (as you will read below, we have terminated these tokens and they can no longer be used). In situations where our social media partners made use of two-part keys – a user part and a “secret” part – our secret parts of the keys were not compromised.
While we continue to investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens.
Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.
All the compromised tokens have been deauthorized, and are no longer valid. In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens.
HOW HAS TIMEHOP RESPONDED?
On the 4th of July, when Timehop detected the activity, our engineers moved rapidly to limit the damage created by this breach. On July 4th, before they understood this to be a security incident, the engineers restored service. On July 5th, as you can see on the timetable, the engineers began to treat this as an information security incident.
It is moving aggressively and proactively to notify users, partners, and customers that the breach occurred.Timehop’s first priority has been to defend the social media and account data of its customers.
To that end:
• Timehop has conducted an initial audit, and continues to conduct a thorough audit, of all accounts, credentials, and permissions granted to all authorized users; and deployed enhanced security protocols to secure our systems, remove the intruders and protect your data. This document has been updated to reflect the latest available information. We will continue to update this document until we feel it is complete.
• Timehop has engaged a well-established and experienced cyber security incident response firm to lead the response, understand any exposure or potential exposure of customer data, ensure that no follow-on attacks are in progress, and create a recovery architecture.
• Timehop has engaged with its cloud computing provider to inform it of the incident and the actions taken, and to request follow-on assistance.
• It has engaged a cyber threat intelligence and dark web research firm to gain intelligence about the attack and, working hand-in-hand with the incident response firm, helping to prevent further attacks.
• Timehop is in communication with local and federal enforcement officials, and is providing all requested information to cooperate in all respects with any investigation.
• Proactive and intensive collaboration and cooperation with our partners enabled Timehop to quickly assess the broader situation. We continue to monitor any impact with the help of these critical partners.
WHAT ARE ALL THESE TERMS, AND WHAT DO THEY MEAN
An attacker is a user who gains access to our systems without our permission. Another common way to put it is that an attacker is an unauthorized user, or a “hacker”.
A Compromise is an incident in which an unauthorized user breaks the confidentiality, integrity, or availability of a service – quite simply, it means that our security was broken.
During a Compromise (or, “When our security is broken”) any data that the attackers – the unauthorized users – may have been able to look at, copy, or download can be considered to have been exposed.
A Breach is when data is actually taken from (or, “exfiltrated”) from our computing environment. It means that the attacker was able to break through our security and take what they wanted. This is different from a mere intrusion, which just means that someone got in to our system.
A Network Intrusion is any time an unauthorized user, or attacker, is able to penetrate our network defenses and gain access to data or resources within our network.
An encryption key is used to encrypt or decrypt, data. A computer uses an encryption key to access data or services in much the same way a human uses a user name and a password. An encryption key is a string of characters that is created to scramble and unscramble data.
An access token identifies a specific account and its credentials; it is sort of similar to the way your bank uses a routing number and account number to send money.
Cloud Computing Provider
Cloud computing is a fancy way to describe a data center not within our corporate headquarters, where our servers are stored and operated, and reached via the Internet. The best known cloud computing providers are Amazon Web Services, Microsoft Azure, and Google Cloud, but there are many such providers.
Cyber Reconnaissance is the activity of looking around in a computer network and becoming familiar with what kinds of computers, services, and data are present.
The Dark Web is a set of Internet web sites that anonymize user traffic, and are accessible only using special encryption software. The Dark Web holds legitimate and illegitimate services and Web sites.
FREQUENTLY ASKED QUESTIONS
What was breached and when?
A database containing usernames, dates of birth, genders, country, phone numbers, email addresses, and social media access tokens was breached on July 4, 2018. Social media access tokens were taken for all accounts. Not all accounts had names, phone numbers, or email addresses. Most accounts contained gender, country and date of birth information.
How do we know there won’t be more PII?
People have asked us whether more personally identifiable information will come out, and if we say no, how they can know. Rather than simply assure you, we are taking the transparent step of simply posting publicly the entirety of the schema of the table that contained personally identifiable information, so you can see for yourself what was taken. Note, as we have stated, an entire database was taken, and that database included access keys to social media sites. Those keys were in a different table of the database, which contained no PII, and which we are therefore not disclosing.
Breached Database Column
Plain English Description What this is:
An automatically incrementing ID number
The Facebook user ID associated with a user; this has been deprecated in this table, and is public information
The time at which the record was created
The time at which the record was last updated
An authorization token that kept the user’s session active. deprecated and no longer used
The email address of the user
The user’s first name as listed in social media sites (not necessarily the person’s legal first name)
The user’s last name as listed in social media sites (not necessarily the person’s legal last name)
Whether the user’s subscribed to legacy Timehop email. Deprecated and no longer used. Historical artifact from when Timehop was a daily email
Whether the person has privileges to conduct some testing on local, native mobile applications
The time zone identified to us by the user’s device
Whether the user has completed the steps to sign up for the Timehop service
Whether the user is registered as a Beta tester to help test early releases of the application.
A Globally Unique IDentifier Deprecated (no longer used)
The email address of the user converted to all lower case.
The user’s phone number as provided by user
The user’s username
The user’s username converted to all lower case
Whether the user has downloaded the Timehop iPhone Application
When the user downloaded the Timehop iPhone Application
Legacy auth token column. Deprecated and no longer used.
Whether the user has downloaded the discontinued Timehop Windows Application
When the user downloaded the discontinued Timehop Mac OSX Application
The latest version of the Timehop application registered by the user
The User’s birthday as provided by social media (and possibly as corrected by the user) in UNIX format
The date and time the user last opened the Timehop application
Timestamp of the last time a user’s email bounced. Deprecated and no longer used. Historical artifact from days when Timehop was a daily email.
When the user downloaded the Timehop Android Application
The latest version of the Timehop Android application registered by the user
The date and time the user last opened the Timehop application
Deprecated product feature, no longer used
The Country Name listed by the User in social media profiles
The Country Code listed in the device used by the user
The language setting listed in the device used by the user
The user’s gender as provided to social media networks.
How sensitive is the information?
The names, genders, country, and dates of birth of some of our customers were breached. We note that in many cases these are not the customer’s full legal name but rather the social media name as listed on their account. However, combined with other, outside data, this may identify an individual. Dates of birth further add to this ability. Some of our customer’s email addresses were lost, and a smaller number of our customers’ phone numbers. No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.
How many users were affected?
Many records contained more than one of the following:
• There were 20.4 million names in total (3.8 million in the GDPR zone).
• There were 15.5 million dates-of-birth in total (2.6 million in the GDPR zone).
• There were 18.6 million Email addresses total (2.9 million in the GDPR zone).
• There were 9.2 million gender designations total (2.6 million in the GDPR zone).
• There were 4.9 million phone numbers total (243,000 in the GDPR zone).
Will this affect my Streak?
No! By a wide margin, this has been the most commonly asked question, and the answer is that we will ensure all Streaks remain unaffected by this event.
Do you know if the data has been used?
All the access keys have been deauthorized and cannot be used, and we have no evidence that any were used in the short period during which they were exposed. On July 5th, Timehop retained the services of a well-established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.
What actions have you taken to ensure that this is the extent of the breach and won’t happen again?
There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades. We immediately conducted a user audit and permissions inventory; change all passwords and keys; adding multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoke inappropriate permissions; increase alarming and monitoring; and various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We immediately began actions to deauthorize compromised access tokens, and as we describe below, working with our partners to determine whether any of the keys had been used. In future we will encrypt all access tokens and API keys, emails, and phone numbers in our database.
Has law enforcement been informed?
Yes. Timehop is in communication with local and federal law enforcement officials and will cooperate with all investigations on this matter.
What are the implications in Europe under the new GDPR privacy law?
The GDPR became effective very recently and there are not many guidelines on how key concepts such as “risks to the rights and freedoms of the individuals” should be interpreted, but we are being transparent and pro-active and notifying all EU users on a voluntary basis and have done so as quickly as possible. We are also in contact with EU authorities. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.
©Timehop — 401 Broadway, New York, NY 10013
If you’d like to unsubscribe and stop receiving these emails click here