Timehop Security Incident, July 4th, 2018

Updated on July 27th, 2020
New text is underlined.

 

On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.

First off, we would like to unequivocally apologize to our users for this incident. We commit to transparency about this incident, and this document is part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again.

Updated July 10, 2018: Since the original posting of this document, our investigation has continued as promised. We now make public more data, a full timeline of the attack, more granular information about the types of Personally Identifiable Information that were breached, and a narrative to contextualize these disclosures. We will continue to update this document regularly as more information becomes available.

Updated July 27, 2020: Timehop has continued to monitor surface and Dark Web forums and marketplaces for evidence that the data are for sale, and to monitor Pastebin and similar sites for dumps of the data. We have no evidence that the data have been distributed. In mid-2020, unconfirmed offers to sell Timehop user data appeared briefly on some forums, but we cannot establish the legitimacy of the offers. Timehop continues to monitor, and will update this page as necessary.

Details:

  • Some data was breached. These include names, email addresses, dates of birth, gender of users, country codes, and some phone numbers. We had previously reported email addresses, phone numbers, and names. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.

  • To reiterate: none of your “memories” - the social media posts & photos that Timehop stores - were accessed.

  • These new types of data are not part of a second breach. The incident we announced is the only incident we have suffered to date. The new information is the result of closer examination of forensics and logs.

  • Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records

These are to be considered separately of one another - these are not additive. The total number of breached records was approximately 21 million. 

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

The above table has been added in the recent update

  • Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. These keys were deauthorized by Timehop acting in concert with its social media provider partners by Sunday, July 8, at 3:30 pm Eastern Time. Timehop did not report the breach, which it discovered on July 5, 2018, to its users until after it was certain that the keys had been deauthorized and our social media provider partners had reported that they had not observed any suspicious activity. Timehop did this to ensure that it did not enable attacks by going public, which could encourage the attackers to move quickly to exploit their stolen data.

  • These keys can no longer be used by anyone - so users must re-authenticate to our App.

    • If you have noticed any content not loading, it is because Timehop deactivated these proactively.

  • We have no evidence that any accounts were accessed without authorization.

  • We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.

  • You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.

  • The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data (but we do log IP addresses for network audit purposes as described in our Terms of Service) ; we don’t store copies of your social media profiles, we separate user information from social media content - and we delete our copies of your “Memories” after you’ve seen them.

  • We log IP addresses for network audit purposes as disclosed in our Terms of Service. The servers that we run, like all web servers, log incoming traffic information, including IP addresses. At the scale at which Timehop operates, the servers generate millions of log lines. While we continue to investigate, at this time we have no indication that any of these were disclosed. Due to the manner in which log queries work with our cloud provider, we will never be able to say with 100% certainty that the intruders did not access IP addresses. Therefore, we are giving notification, now, that your IP address may have been compromised.

What is Next For Users?

Because we have invalidated all API credentials, if you have not already done so, you will be asked to log in again to Timehop and re-authenticate each service you wish to use with Timehop. This will generate a new, secure token. Because your data’s integrity is our first priority, we have deauthorized tokens as quickly as possible. As we mentioned, if you have noticed any content not loading, it is because we deactivated these tokens proactively. Additionally, user streaks have been frozen and maintained for the time being. If you have any issues please let us know.

Phone Number Security

If you used a phone number for login, then Timehop would have had your phone number. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.

If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.

If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.

For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.

What Happened?

At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.

The attack was detected, and two hours and nineteen minutes later - at 4:23 PM that same day - our engineers responded to the event (for a more complete technical description of the attack, please see this post). We have now updated our security to alert on the kinds of activities that were conducted.

While we continue to investigate, we have confirmed that this intrusion led to a breach of some data:

  • Names, some email addresses, dates of birth, gender, country codes, and some phone numbers belonging to our customers have been compromised.

  • Additionally, “access tokens” provided to Timehop by our social media providers were also taken. These tokens could allow a malicious actor to view without permission some of your social media posts. (as you will read below, we have terminated these tokens and they can no longer be used). In situations where our social media partners made use of two-part keys - a user part and a “secret” part - our secret parts of the keys were not compromised.

While we continue to investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens.

Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened.

All the compromised tokens have been deauthorized, and are no longer valid. In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens.  

How Has Timehop Responded?

On the 4th of July, when Timehop detected the activity, our engineers moved rapidly to limit the damage created by this breach. On July 4th, before they understood this to be a security incident, the engineers restored service. On July 5th, as you can see on the timetable, the engineers began to treat this as an information security incident.

It is moving aggressively and proactively to notify users, partners, and customers that the breach occurred. Timehop’s first priority has been to defend the social media and account data of its customers.

To that end:

  • Timehop has conducted an initial audit, and continues to conduct a thorough audit, of all accounts, credentials, and permissions granted to all authorized users; and deployed enhanced security protocols to secure our systems, remove the intruders and protect your data. This document has been updated to reflect the latest available information. We will continue to update this document until we feel it is complete.

  • Timehop has engaged a well-established and experienced cyber security incident response firm to lead the response, understand any exposure or potential exposure of customer data, ensure that no follow-on attacks are in progress, and create a recovery architecture.

  • Timehop has engaged with its cloud computing provider to inform it of the incident and the actions taken, and to request follow-on assistance.

  • It has engaged a cyber threat intelligence and dark web research firm to gain intelligence about the attack and, working hand-in-hand with the incident response firm, helping to prevent further attacks.

  • Timehop is in communication with local and federal enforcement officials, and is providing all requested information to cooperate in all respects with any investigation.

  • Proactive and intensive collaboration and cooperation with our partners enabled Timehop to quickly assess the broader situation. We continue to monitor any impact with the help of these critical partners.

What Are All These Terms, And What Do They Mean

Attacker

An attacker is a user who gains access to our systems without our permission. Another common way to put it is that an attacker is an unauthorized user, or a “hacker”.

Compromise

A Compromise is an incident in which an unauthorized user breaks the confidentiality, integrity, or availability of a service - quite simply, it means that our security was broken.

Exposure

During a Compromise (or, “When our security is broken”) any data that the attackers - the unauthorized users  - may have been able to look at, copy, or download can be considered to have been exposed.

Breach

A Breach is when data is actually taken from (or, “exfiltrated”) from our computing environment. It means that the attacker was able to break through our security and take what they wanted. This is different from a mere intrusion, which just means that someone got in to our system.

Network Intrusion

A Network Intrusion is any time an unauthorized user, or attacker, is able to penetrate our network defenses and gain access to data or resources within our network.

Key

An encryption key is used to encrypt or decrypt, data. A computer uses an encryption key to access data or services in much the same way a human uses a user name and a password. An encryption key is a string of characters that is created to scramble and unscramble data.

Access Token

An access token identifies a specific account and its credentials; it is sort of similar to the way your bank uses a routing number and account number to send money.

Cloud Computing Provider

Cloud computing is a fancy way to describe a data center not within our corporate headquarters, where our servers are stored and operated, and reached via the Internet. The best known cloud computing providers are Amazon Web Services, Microsoft Azure, and Google Cloud, but there are many such providers.

Reconnaissance

Cyber Reconnaissance is the activity of looking around in a computer network and becoming familiar with what kinds of computers, services, and data are present.

Dark Web

The Dark Web is a set of Internet web sites that anonymize user traffic, and are accessible only using special encryption software. The Dark Web holds legitimate and illegitimate services and Web sites.

Frequently Asked Questions
 

What was breached and when?

A database containing usernames, dates of birth, genders, country codes, phone numbers, email addresses, and social media access tokens was breached on July 4, 2018. Social media access tokens were taken for all accounts. Not all accounts had names, phone numbers, or email addresses. Most accounts contained gender, country codes and date of birth information.

How do we know there won’t be more PII?

People have asked us whether more personally identifiable information will come out, and if we say no, how they can know. Rather than simply assure you, we are taking the transparent step of simply posting publicly the entirety of the schema of the table that contained personally identifiable information, so you can see for yourself what was taken. Note, as we have stated, an entire database was taken, and that database included access keys to social media sites. Those keys were in a different table of the database, which contained no PII, and which we are therefore not disclosing.

Breached Database Column Plain English Description What this is:
id An automatically incrementing ID number
facebook_user_id The Facebook user ID associated with a user; this has been deprecated in this table, and is public information
created_at timestamp The time at which the record was created
updated_at timestamp The time at which the record was last updated
persistence_token An authorization token that kept the user’s session active. deprecated and no longer used
email_address The email address of the user
first_name The user’s first name as listed in social media sites (not necessarily the person’s legal first name)
last_name The user’s last name as listed in social media sites (not necessarily the person’s legal last name)
subscribed Whether the user’s subscribed to legacy Timehop email. Deprecated and no longer used. Historical artifact from when Timehop was a daily email
admin Whether the person has privileges to conduct some testing on local, native mobile applications
time_zone The time zone identified to us by the user’s device
signup_steps_completed Whether the user has completed the steps to sign up for the Timehop service
beta Whether the user is registered as a Beta tester to help test early releases of the application.
guid A Globally Unique IDentifier Deprecated (no longer used)
lower_email_address The email address of the user converted to all lower case.
phone_number The user’s phone number as provided by user
username The user’s username
lower_username The user’s username converted to all lower case
has_downloaded_iphone_app Whether the user has downloaded the Timehop iPhone Application
downloaded_iphone_app_at timestamp When the user downloaded the Timehop iPhone Application
auth_token Legacy auth token column. Deprecated and no longer used.
downloaded_windows_app_at timestamp Whether the user has downloaded the discontinued Timehop Windows Application
downloaded_osx_app_at timestamp When the user downloaded the discontinued Timehop Mac OSX Application
latest_app_version The latest version of the Timehop application registered by the user
birthdate_key The User’s birthday as provided by social media (and possibly as corrected by the user) in UNIX format
last_opened_app_at timestamp The date and time the user last opened the Timehop application
bounced_at timestamp Timestamp of the last time a user’s email bounced. Deprecated and no longer used. Historical artifact from days when Timehop was a daily email.
downloaded_android_app_at timestamp When the user downloaded the Timehop Android Application
latest_android_app_version The latest version of the Timehop Android application registered by the user
last_opened_android_app_at timestamp The date and time the user last opened the Timehop application
throwbacks Deprecated product feature, no longer used
country_name The Country Name listed by the User in social media profiles
country The Country Code listed in the device used by the user
language The language setting listed in the device used by the user
gender The user’s gender as provided to social media networks.

The above table has been added in a recent update

How sensitive is the information?

The names, genders, country codes, and dates of birth of of some of our customers were breached. We note that In many cases these are not the customer’s full legal name but rather the social media name as listed on their account. However, combined with other, outside data, this may identify an individual. Dates of birth further add to this ability. Some of our customer’s email addresses were lost, and a smaller number of our customers’ phone numbers. No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.

Why didn’t you tell us about dates-of-birth and gender losses earlier?

There’s no non-embarrassing way to say this other than the truth: after beginning the incident response, the team identified our top three priorities: they were, (1) deauthorize all access keys and tokens that had been stolen so as to protect our users’ social media accounts; (2) understand our responsibilities under the brand-new GDPR reporting requirements; and (3) as soon as we completed (1) and (2), notify all users that their personally identifiable information had been breached and that they should take steps to defend their phone numbers.

To conduct (1), we needed to create tools to help us invalidate the credentials from our perspective, investigate whether any abuse had occurred; and make contact with high-level account security personnel at our social media provider partners in order for them to do the same. This was a highly complex set of tasks in what had been a holiday week, and involved multiple partners revoking millions of access keys and conducting simultaneous investigations across the United States. The team at Timehop worked from early in the morning on Friday and Saturday until nearly midnight both days, and by Sunday we had concluded that the keys had been deauthorized and that neither we nor any partner had found any evidence of abuse.

By late Sunday afternoon we decided that it was safe to inform our user base. In the meantime, on Thursday, Friday, and Saturday, we were in contact with our lawyers in the United States and Europe trying to understand our responsibilities under GDPR. These are highly complex, and no one has experience in handling notifications since the law just came into effect. By Sunday we felt we had enough information to begin our GDPR notification, and set our sights to informing our users, and then beginning the more unhurried audit and forensic analysis of events first thing Monday.

So … okay...but why didn’t you tell us about dates of birth and gender data?

Because we messed up. In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything. With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed. This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon as it became available.

By Monday evening, as we understood the impact of having to release that more PII had been breached from the same event, we made the decision to also disclose more technical details about the event, more specific numbers of data lost, and a much more granular breakdown of the data types stolen. On that note, our investigation continues, and if we discover more data, we will inform you of that fact no matter how embarrassing that may be to us. We are absolutely committed to telling you what we know, when we know it.

We are deeply sorry for this secondary disclosure.  

Seriously?

We recognize this second disclosure creates the sensation that we are releasing information slowly, in a “drip drip” fashion, to mitigate the potential fallout. We can only assure you that this is not the case. If anything, we are deeply embarrassed to have to make this secondary disclosure. We have invited journalists to view the files and get briefed on the response, and we expect they will provide their views independently of ours.

It is important to note that there was no new breach. Systems were, as reported, locked down on July 5, 2018. What is new is that our ongoing investigation of the extent of the breach has unfortunately yielded one more piece of data that the intruders had access to.

How many users were affected?

Many records contained more than one of the following:

  • There were 20.4 million names in total (3.8 million in the GDPR zone).

  • There were 15.5 million dates-of-birth in total (2.6 million in the GDPR zone).

  • There were 18.6 million Email addresses total (2.9 million in the GDPR zone).

  • There were 9.2 million gender designations total (2.6 million in the GDPR zone).

  • There were 4.9 million phone numbers total (243,000 in the GDPR zone).

Will this affect my Streak?

No! By a wide margin, this has been the most commonly asked question, and the answer is that we will ensure all Streaks remain unaffected by this event.

Do you know if the data has been used?

We have no evidence that the data has been used, and we have no evidence that any were used in the short period during which they were exposed. On July 5th, Timehop has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.

What actions have you taken to ensure that this is the extent of the breach and won’t happen again?

There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades. We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment.  We immediately began actions to deauthorize compromised access tokens, and as we describe below, are worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases.

Has law enforcement been informed?

Yes. Timehop is in communication with local and federal law enforcement officials and will cooperate with all investigations on this matter.

What are the implications in Europe under the new GDPR privacy law?

The GDPR became effective very recently and there are not many guidelines on how key concepts such as “risks to the rights and freedoms of the individuals” should be interpreted, but we are being transparent and pro-active and notifying all EU users on a voluntary basis and have done so as quickly as possible. We are also in contact with EU authorities. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.