Millions of accounts compromised after the digital nostalgia app Timehop got hacked3
The developer ensures that the contents of the posts users compiled through it, called "memories", were not accessed. Another thing the hackers got were the "keys" that allow the app to show you posts from the sources you've chosen. These keys have been since deactivated, which makes them useless for the attackers. Users that have their phone numbers associated with the app are advised to contact their carrier and further secure their accounts, to prevent their number from being ported.
As an extra security measure, all accounts have been logged out. Users must login and re-authenticate each social media account they have connected to Timehop, in order to receive a new and secure key. However, many users are now reporting that they can't log in to their accounts at all, so it seems like the team has some more work before things are back to normal.
According to the release, the attack was detected and interrupted in less than 3 hours of its start. The information was stolen through an administrative account created by an unauthorized user on December 19, 2017. Since the creation of that account it was used four times for what Timehop calls "reconnaissance activities". These activities were not detected by the security software as no data was moved or copied. Logs are still being examined to determine exactly what happened during that time.
Timehop system administrators have added the necessary protections for the accounts that didn't have them and are confident such an attack can't be repeated.
July 12 update:
As a result of the ongoing investigation, Timehop has released additional information, specifying the type and amount of stolen data.
According to the company, the attackers also have dates of birth and gender information about some of its users. Here are some of the updated numbers:
- 18.6 million addresses (not 21 million as originally reported);
- 15.5 million dates of birth;
- 3.3 million of the accounts had all of the following compromised: name, email, date of birth, phone number;
Full breakdown can be found in the source.