The above table has been added in the recent update

Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. These keys were deauthorized by Timehop acting in concert with its social media provider partners by Sunday, July 8, at 3:30 pm Eastern Time. Timehop did not report the breach, which it discovered on July 5, 2018, to its users until after it was certain that the keys had been deauthorized and our social media provider partners had reported that they had not observed any suspicious activity. Timehop did this to ensure that it did not enable attacks by going public, which could encourage the attackers to move quickly to exploit their stolen data.

These keys can no longer be used by anyone - so users must re-authenticate to our App. If you have noticed any content not loading, it is because Timehop deactivated these proactively.

We have no evidence that any accounts were accessed without authorization.

We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.

You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.

The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data (but we do log IP addresses for network audit purposes as described in our Terms of Service) ; we don’t store copies of your social media profiles, we separate user information from social media content - and we delete our copies of your “Memories” after you’ve seen them.

We log IP addresses for network audit purposes as disclosed in our Terms of Service. The servers that we run, like all web servers, log incoming traffic information, including IP addresses. At the scale at which Timehop operates, the servers generate millions of log lines. While we continue to investigate, at this time we have no indication that any of these were disclosed. Due to the manner in which log queries work with our cloud provider, we will never be able to say with 100% certainty that the intruders did not access IP addresses. Therefore, we are giving notification, now, that your IP address may have been compromised.

What is Next For Users?

Because we have invalidated all API credentials, if you have not already done so, you will be asked to log in again to Timehop and re-authenticate each service you wish to use with Timehop. This will generate a new, secure token. Because your data’s integrity is our first priority, we have deauthorized tokens as quickly as possible. As we mentioned, if you have noticed any content not loading, it is because we deactivated these tokens proactively. Additionally, user streaks have been frozen and maintained for the time being. If you have any issues please let us know.

Phone Number Security

If you used a phone number for login, then Timehop would have had your phone number. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.

If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.

If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.

For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.

What Happened?

At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.

The attack was detected, and two hours and nineteen minutes later - at 4:23 PM that same day - our engineers responded to the event (for a more complete technical description of the attack, please see this post). We have now updated our security to alert on the kinds of activities that were conducted.

While we continue to investigate, we have confirmed that this intrusion led to a breach of some data:

Names, some email addresses, dates of birth, gender, country codes, and some phone numbers belonging to our customers have been compromised.

Additionally, “access tokens” provided to Timehop by our social media providers were also taken. These tokens could allow a malicious actor to view without permission some of your social media posts. (as you will read below, we have terminated these tokens and they can no longer be used). In situations where our social media partners made use of two-part keys - a user part and a “secret” part - our secret parts of the keys were not compromised.

While we continue to investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens.

Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened.

All the compromised tokens have been deauthorized, and are no longer valid. In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens.

How Has Timehop Responded?

On the 4th of July, when Timehop detected the activity, our engineers moved rapidly to limit the damage created by this breach. On July 4th, before they understood this to be a security incident, the engineers restored service. On July 5th, as you can see on the timetable, the engineers began to treat this as an information security incident.

It is moving aggressively and proactively to notify users, partners, and customers that the breach occurred. Timehop’s first priority has been to defend the social media and account data of its customers.

To that end:

Timehop has conducted an initial audit, and continues to conduct a thorough audit, of all accounts, credentials, and permissions granted to all authorized users; and deployed enhanced security protocols to secure our systems, remove the intruders and protect your data. This document has been updated to reflect the latest available information. We will continue to update this document until we feel it is complete.

Timehop has engaged a well-established and experienced cyber security incident response firm to lead the response, understand any exposure or potential exposure of customer data, ensure that no follow-on attacks are in progress, and create a recovery architecture.

Timehop has engaged with its cloud computing provider to inform it of the incident and the actions taken, and to request follow-on assistance.

It has engaged a cyber threat intelligence and dark web research firm to gain intelligence about the attack and, working hand-in-hand with the incident response firm, helping to prevent further attacks.

Timehop is in communication with local and federal enforcement officials, and is providing all requested information to cooperate in all respects with any investigation.

Proactive and intensive collaboration and cooperation with our partners enabled Timehop to quickly assess the broader situation. We continue to monitor any impact with the help of these critical partners.

What Are All These Terms, And What Do They Mean

Attacker

An attacker is a user who gains access to our systems without our permission. Another common way to put it is that an attacker is an unauthorized user, or a “hacker”.

Compromise

A Compromise is an incident in which an unauthorized user breaks the confidentiality, integrity, or availability of a service - quite simply, it means that our security was broken.

Exposure

During a Compromise (or, “When our security is broken”) any data that the attackers - the unauthorized users - may have been able to look at, copy, or download can be considered to have been exposed.

Breach

A Breach is when data is actually taken from (or, “exfiltrated”) from our computing environment. It means that the attacker was able to break through our security and take what they wanted. This is different from a mere intrusion, which just means that someone got in to our system.

Network Intrusion

A Network Intrusion is any time an unauthorized user, or attacker, is able to penetrate our network defenses and gain access to data or resources within our network.

Key

An encryption key is used to encrypt or decrypt, data. A computer uses an encryption key to access data or services in much the same way a human uses a user name and a password. An encryption key is a string of characters that is created to scramble and unscramble data.

Access Token

An access token identifies a specific account and its credentials; it is sort of similar to the way your bank uses a routing number and account number to send money.

Cloud Computing Provider

Cloud computing is a fancy way to describe a data center not within our corporate headquarters, where our servers are stored and operated, and reached via the Internet. The best known cloud computing providers are Amazon Web Services, Microsoft Azure, and Google Cloud, but there are many such providers.

Reconnaissance

Cyber Reconnaissance is the activity of looking around in a computer network and becoming familiar with what kinds of computers, services, and data are present.

Dark Web

The Dark Web is a set of Internet web sites that anonymize user traffic, and are accessible only using special encryption software. The Dark Web holds legitimate and illegitimate services and Web sites.

Frequently Asked Questions



What was breached and when?

A database containing usernames, dates of birth, genders, country codes, phone numbers, email addresses, and social media access tokens was breached on July 4, 2018. Social media access tokens were taken for all accounts. Not all accounts had names, phone numbers, or email addresses. Most accounts contained gender, country codes and date of birth information.

How do we know there won’t be more PII?

People have asked us whether more personally identifiable information will come out, and if we say no, how they can know. Rather than simply assure you, we are taking the transparent step of simply posting publicly the entirety of the schema of the table that contained personally identifiable information, so you can see for yourself what was taken. Note, as we have stated, an entire database was taken, and that database included access keys to social media sites. Those keys were in a different table of the database, which contained no PII, and which we are therefore not disclosing.