1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Timehop's lack of 2FA led to data breach affecting 21 million users

By midian182
Jul 9, 2018
Post New Reply
  1. Timehop wrote that the intrusion took place on July 4 and that users’ names and email addresses were exposed. Additionally, phone numbers linked to 4.7 million accounts were also stolen. The company stressed that no private/direct messages, financial data, or social media or photo content were affected.

    Timehop is advising those who shared their phone numbers with the company to “take additional security precautions with your cellular provider to ensure that your number cannot be ported.”

    Authorization tokens used by Timehop to access social media sites like Facebook and Twitter were taken during the breach. The company says it deactivated these keys a few hours after it detected the intrusion, but warned that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts” but has “no evidence that this actually happened.”

    Preparations for the attack began in December when an unauthorized person used admin credentials to log into the company’s cloud computing environment, which it admits was not protected by multifactor authentication. Recon activities took place over the next two days, and the person logged in two more times before the July 4 attack.

    Timehop has now restored its services after resetting all its passwords and adding multifactor authorization. It is working with local and federal law enforcement to investigate the breach. Security is being enhanced and the company is conducting a complete audit.

    A technical report on the incident can be found here.

    Permalink to story.

  2. Trillionsin

    Trillionsin TS Evangelist Posts: 1,761   +369

    When we going to start holding these companies responsible? Arg, matey.
  3. jonny888

    jonny888 TS Booster Posts: 55   +60

    A lot of conjecture and assumptions there. The attack could also have potentially been stopped by restricted network access, better password protection policies, login IP monitoring, better social engineering education (how did the attackers get the password in the first place?) etc. To assume that 2FA is the sole solution to/cause of the problem seems pretty random. Not to say that 2FA couldn't have also stopped it, but I don't get the focus on it.
    Squid Surprise likes this.
  4. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,306   +1,322

    Agreed! We’ve already seen plenty of cases where networks and companies have been compromised even with 2FA enabled... sometimes it’s as easy as “borrowing” someone’s Smartphone for a few minutes...
    A network is only as secure as its weakest link - that’s usually the dumbest employees:)
    Theinsanegamer likes this.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...