The popular mobile app Timehop, which surfaces users’ social media posts from the same date in previous years, has been breached, exposing the credentials, phone numbers and personal SoMe histories of 21 million users. IT security experts commented below.
Jeannie Warner, Security Manager at WhiteHat Security:
“Believe it or not, I love social media! However, as a security expert, I must recommend that you carefully consider which applications you grant permission to access your Facebook, Instagram, Twitter, etc. There is always a danger when you read “Do you want to log on with Facebook?” These apps, which use your social media account login information, don’t have the ability to change your password. They merely check with the site, which then generates a token for the use of this app. I like to think of it as the difference between the badge for my office and the building key. The key can get people into the hallways, but only my badge and fingerprint can get you into my office. But this is still far too much access for an outsider.
Today’s breach of 21 million Timehop users’ personal information and social media login tokens should be a wakeup call. Applications like Timehop, which acquire explicit access to your personal information, social media connections and posts—both public and private—may not have strong intrinsic security. In the case of Timehop, its cloud servers weren’t even protected by multi-factor authentication, which should be a default at this point.
Organizations should work to prevent breaches like this, starting with security training and education, along with IT and Ops teams partnering with security to understand and prioritize how to mitigate risk. Applying patches to applications immediately – not months after they become available – and making security testing a part of the entire lifecycle of an application, are all critical. Users can review which apps have what level of access through social media apps’ setting and privacy tools and adjust accordingly.”
Matt Lock, Director of Sales Engineers at Varonis:
“Apps are attractive targets for hackers because they often hold a trove of information about users. Unfortunately, many attackers are quite good at covering their tracks are never brought to justice. Victims of a breach must take responsibility with practical steps to help ensure their privacy. If you’re affected by this breach, change your passwords and remain on the lookout for scam emails and phone calls.
While you don’t have to delete all the apps from your phone and tablet, you can be proactive and take steps to protect your information: use a different user name and password for each app and for your email, periodically change your passwords, and stick with companies that offer two-factor authentication as an extra security precaution. You may want to think carefully before downloading a new app or another internet browser on your phone: be especially mindful of the permissions you grant these third-party applications. Ask yourself if you can really trust the developer with your personal information and details like your location, contacts, and more. Most of us would never allow our own government to track our whereabouts, but would not think twice about giving this permission to an app you know very little about.”
Allen Scott, Consumer EMEA Director at McAfee:
“Another day, another security breach. If you combine the amount of user data that was exposed in the last week alone across the Gmail, Fortnum and Mason and Costa breaches and now the 21 million users affected by the Timehop attack, it’s understandable that consumers are getting worried.
“We cannot rely on single-factor authentication for our passwords, to protect our digital lives. Frustratingly I’m sure many Timehop users had the same password linked to their Instagram, Facebook and Twitter accounts. In fact, recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to.
“If you use the same password for Timehop and a number of other apps and accounts you need to change it NOW. A cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information across a number of accounts. We know it’s hard to remember all your passwords but using a password generator and manager can help solve this problem and ensure you don’t become an easy target for these sophisticated cybercriminals.”
Steve Schult, Sr. Director Product Management at LastPass:
“The Timehop breach highlights that multi-factor authentication should be part of an organisation’s security policy, and enforced across all accounts. It should also be a lesson for business leaders and IT teams, as to why basic security measures are in place before, and not after, a company is breached.
Multi-factor authentication is one of the most effective ways of protecting accounts, it adds another layer of security by requiring an additional piece of information (such as a one-time code of finger print) at authentication before access is granted. For Timehop, this would have meant that even though the admin credentials were compromised, the hacker wouldn’t have been able to gain entry into the cloud environment. However, whilst there are clear benefits from multi-factor authentication, this should also not be an excuse to practice poor password habits. Having a complex, unique password will reduce the risk of credentials being obtained in the first place.
Chris Steffen, Technical Director at Cyxtera:
“Breaches involving the unauthorized use of privileged credentials are unfortunately fairly common, and Timehop is just the most recent victim to come forward.
“At minimum, any organization using public cloud infrastructure needs to take full advantage of the security tools offered natively by the vendor that they are using. In the case of Timehop, it appears that they did not implement basic two factor authentication offered by their cloud provider and by many third party network security tools.
“Ideally, Timehop would use an identity-centric, network enforced software-defined perimeter (SDP) solution to secure all of their network environments, including AWS, Azure and Google Cloud Platform.
“Using an SDP solution, Timehop would be able to enforce a standard set of security controls across all of their environments, while integrating with the security tools and groups provided by the cloud provider. Using SDP would provide multiple factors of dynamic and context aware user authentication, as well as provide logging and tracking of user access.”
David P. Vergara, Head of Security Product Marketing at OneSpan:
“There are 21 million users of Timehop that should be furious right now for two reasons. The first is that there is absolutely no excuse for any business today not to deploy multi-factor authentication to secure access to applications as it’s both effective and inexpensive. The second is the period of time that the breach went undetected and how long it took to sever the hacker’s access. This is one more huge wake-up call for businesses to roll out MFA and take the protection of their user’s data much more seriously.”
Robert Wassall, Head of Legal Services, and Data Protection Lawyer at ThinkMarble:
“In alerting the public to this serious data breach, Timehop’s swift and thorough notification is an example of how businesses should respond post-GDPR. While Timehop could be praised for its openness, under the GDPR such a response represents basic compliance. The company has not gone above and beyond – this is what the GDPR demands, and it has responded appropriately under the legislation. It’s likely that of the 21 million affected users, a sizeable proportion will be based in the UK and Europe. It’s surprising then that in its statement the company mentions the GDPR as a closing thought. Global companies need to understand that the GDPR might be European legislation, but it has global resonance. Any enterprise with a worldwide customer base needs to put the GDPR at the forefront of its data protection strategy. Ultimately that will pay dividends in global compliance practices, increasing trust, reputation and instilling good practice no matter where customers are based.”
James Houghton, Chief Technical Officer at ThinkMarble:
“There are also technical learnings to take from this breach. Firstly, GDPR-compliant strategies need to employ data obfuscation and pseudonymisation. Article 3 of the legislation makes clear that the processing of data requires a system that anonymises individual customer data entirely. It appears Timehop failed to do this. Secondly, as far back as December 2017 it appears that Timehop failed to enact two-factor authentication. This is especially concerning given this should be considered a minimum requirement. This is yet another example of businesses not going back to basics and covering the fundamentals of cyber and information security.”
Dan Pitman, Senior Solutions Architect at Alert Logic:
“We’re seeing an increase in breach notification, as organisations do their utmost to adhere to the 72 hour imposed timescales. Although Timehop were guilty of a ‘schoolboy’ error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
