Cyber Incident Victim: Timehop
Date:
Jul 2018
Location:
United States of America
Summary
A social media memory app suffered a data breach compromising personal information of 21 million users, including names, emails, and phone numbers for 4.7 million individuals. Attackers infiltrated the company's cloud environment using compromised admin credentials, conducting reconnaissance over several months before exfiltrating data during a holiday period. The intrusion exposed authentication keys for social media integrations, prompting service-wide deactivation and mandatory user reauthentication. While no financial data, location information, or social media content was accessed, theoretical risks existed for unauthorized token misuse during a limited window. The breach stemmed from insufficient multifactor authentication on legacy cloud accounts, which the company addressed post-incident alongside enhanced encryption. Law enforcement and GDPR specialists were engaged, with notifications delivered via app logins and planned bulk emails.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Timehop data breach occurred on July 4, 2018, when an attacker compromised the personal information of 21 million users, representing nearly the entire user base. The intrusion began at 2:04 PM Eastern Time during the US holiday and was detected by Timehop's security team while in progress. Company engineers terminated the attack within two hours and nineteen minutes, though unauthorized access had already occurred. Initial forensic analysis revealed the attacker first infiltrated Timehop's cloud computing environment in December 2017 using compromised administrative credentials. During this initial access period, the intruder conducted reconnaissance activities over several days in December, followed by additional probing sessions in March and June 2018 before executing the July 4 data exfiltration.
Compromised data included names and email addresses for all affected users, with approximately 4.7 million users additionally having their attached phone numbers exposed. Timehop confirmed no financial information, social media content, location data, IP addresses, or Timehop-specific user data was accessed, citing their data minimization practices as a limiting factor. However, authentication tokens granting access to users' social media posts were compromised, prompting Timehop to proactively deactivate all connection keys. This required users to re-authenticate their social media accounts within the app to restore functionality. The company emphasized these tokens couldn't access private messages but theoretically permitted viewing of self-posted social media content during a limited window, though no evidence of unauthorized access was found.
Timehop's incident response, initiated July 5, involved implementing multifactor authentication across all cloud service accounts that previously lacked this protection, including those outside their primary cloud computing provider. Forensic investigators determined the breach originated from an employee account without multifactor authentication, described as an oversight from the company's early operational phase. The company engaged federal law enforcement, retained GDPR compliance specialists to notify European users, and contracted a cybersecurity firm to monitor dark web activity for stolen data. Public disclosure occurred via blog post on July 8 after preliminary Twitter notifications referencing "unscheduled maintenance." User notifications were delivered through in-app alerts during reauthentication, with mass email notifications delayed due to technical preparations. Timehop concurrently enhanced environmental encryption and assured users their consecutive usage "Streaks" would remain unaffected by service interruptions.