Timehop has disclosed a major security breach involving the compromised personal data belonging to 21 million users, nearly its entire user base.
Timehop provides a service that plugs into users' social media accounts to resurface old posts and photos from years past. The social media aggregation site publicly disclosed the breach in a blog post last Saturday, several days after discovering the breach. The company originally discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut down the attack in 2 hrs. 19 min. later. The attacker still managed to get away with 21 million users names and email addresses and 4.7 million phone numbers belonging to users attached to their accounts.
The keys that allow the firm to read and show users their social media content were also compromised. All user keys have since been deactivated and Timehop users will be required to re-authenticate to its App to continue using the service.
According to the firm’s preliminary investigation, on December 19, 2017, an authorized administrative user’s credentials were used by an unauthorized user to log into the firms cloud computer provider. This user then created a new administrative account and conducted reconnaissance activities in their cloud computing environment. Over the next two days, one day in March 2018, and one day in June 2018, the unauthorized user logged in again and conducted more reconnaissance activities.
While working to contain the incident, Timehop contacted local and federal law enforcement officials, presumably to report the breach. Breach reporting requirements are deeply ingrained into the EU’s recently data protection framework, the General Data Protection Regulation (GDPR), which requires companies to disclose breaches to supervisory authorities within 72 hours of becoming aware of the security incident. The firm claims to be working proactively and notifying all EU users of the incident as quickly as possible.
The attacker was able to access the network and compromise Timehop’s cloud computing environment by targeting an administrative account that was not protected by multifactor authentication, a blatant security failure on Timehop’s part.
The CIS Controls identify the use of administrative privileges and multifactor authentication as one of the top 6 cybersecurity basics that are essential to securing a cloud environment. This control, CIS Control #4: Controlled Use of Administrative Privileges, is made up of nine essential sub controls, including but not limited to:
- Maintaining an inventory of administrative accounts
- Changing default passwords
- Ensuring the use of dedicated administrative accounts
- Using multi-factor authentication for all administrative access
- Logging and alert on changes to administrative group memberships
- Logging and alert on unsuccessful administrative account logins
NNT solutions alone can help you satisfy these essential requirements. Change Tracker Gen7 monitors systems to ensure that administrative access and privileges are securely configured, and continuously monitors for any configuration changes made. Change Tracker intelligently detects when users with administrative privileges are added or removed and also ensures that systems are configured properly to prevent unauthorized users from executing malicious scripts.
But this incident is not unique to Timehop. In fact, taking over an administrative account is one of the oldest attack vectors out there. Time and time again we find the majority of security breaches happen when the basic controls are missing or are poorly implemented. A study of the previous version of the CIS Controls showed that nearly 85% of cyber-attacks can be prevented by adopting the first five CIS Controls alone. NNT solutions alone can help you satisfy the first six CIS Controls.
The firm has since stated that “we have now taken steps that include multi-factor authentication to secure our authorization and access controls on all accounts.” The firm also claims to have taken various other steps to secure their cloud environment, including conducting a user audit and permissions inventory, changing all passwords and keys and adding MFA to all accounts, revoking inappropriate permissions, and increasing monitoring.