Timehop has shared additional details regarding the recent data breach that impacts nearly 21 million users, claiming that additional personally identifiable information (PII) was compromised during the attack.

The firm originally disclosed the breach in a blog post last Saturday claiming one or more hackers gained unauthorized access to a database storing the usernames, phone numbers, email addresses, and social media access tokens for all Timehop users. Now the firm claims that users’ dates of birth, gender of customers, and country codes have also been breached.  

The investigation into the incident is still ongoing, but so far the company believes the hacker walked away with 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers.

Timehop was originally targeted on December 19, 2017, when an authorized admin user’s credentials were used by an unauthorized user to log into the firms cloud computing environment, where the hacker created a new admin account and has been conducting reconnaissance activities in the firms cloud environment up until July 4 when finally spotted by Timehop.

On July 4 the hacker made a copy of the user database and then changed the password, leading to service disruptions and internal alerts being triggered. Unfortunately, it took Timehop almost 24 hours to determine that it had been breached after the first alert.

In the update published on Wednesday, the firm claimed, “In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything”. The update also includes the number of impacted PII records covered by the recently introduced GDPR.   Here is a detailed breakdown of the number of breach GDPR records compromised in the security breach:

Type of Personal Data Combination

# of Breached Records

# of Breached GDPR Records

Name, email, phone, DOB

3.3 million

174,000

Name, email address, phone

3.4 million

181,000

Name, email address, DOB

13.6 million

2.2 million

Name, phone number, DOB

3.6 million

189,000

Name and email address

18.6 million

2.9 million

Name and phone number

3.7 million

198,000

Name and DOB

14.8 million

2.5 million

Name total

20.4 million

3.8 million

DOB total

15.5 million

2.6 million

Email addresses total

18.6 million

2.9 million

Gender designation total

9.2 million

2.6 million

Phone numbers total

4.9 million

243,000


Under the General Data Protection Regulation (GDPR), companies must report breaches to supervisory authorities within 72 hours of discovering the breach. Many security researchers believe this timeframe was not enough for Timehop to determine the full scope of the breach, which led to the company sharing misleading information with victims.

While the accelerated disclosure timeline may have led to some miscommunication, the firm’s classic mistake of not doing two-factor authentication is inexcusable. Two-factor authentication, combined with intelligent Change Control to monitor for any configuration changes made would have helped Timehop significantly reduce its likelihood of being breached.

 

 

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common
Harpenden
Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.