Timehop admits to more data leakage, details GDPR danger
Bad actor was inside social network for months without being detected
Nostalgia aggregator Timehop has revised its advice about the data breach it reported earlier this week.
The news is bad in two dimensions, the first of which is that the company has found more data was accessed. Updates to its oops! post has now added “dates of birth, gender [and] country codes” to the list of lost information, in addition to names email addresses and phone numbers. After “closer examination of forensics and logs” the company has also revised its estimates of lost records and added an analysis of how many put it on the wrong side of GDPR.
Here’s its full accounting of the leakage.
|Type of Personal Data Combination||Number of breached records||Number of breached GDPR records|
|Name, email, phone, DOB||3.3 million||174,000|
|Name, email address, phone||3.4 million||181,000|
|Name, email address, DOB||13.6 million||2.2 million|
|Name, email address, DOB||3.6 million||189,000|
|Name and email address||18.6 million||2.9 million|
|Name and phone number||3.7 million||198,000|
|Name and DOB||14.8 million||2.5 million|
|Name total||20.4 million||3.8 million|
|DOB total||15.5 million||2.6 million|
|Email addresses total||18.6 million||2.9 million|
|Gender designation total||18.6 million||2.6 million|
|Phone numbers total||4.9 million||243,000|
The second nasty dimension is that Timehop has revealed that the attacker who lifted the data was able to access its systems since December 2017 and logged on during March and April 2018 without detection, in part thanks to the absence of two-factor authentication. Those visits yielded nothing of value, but “In April, 2018, Timehop employees migrated a database with personally identifiable information into the environment. The attacker saw this when they logged in on June 22, 2018. The unauthorized user then logged in again on July 4, 2018, when the database containing PII was stolen.”
The timelines also reveals that while Timehop observed the attacker had changed database passwords and done some CPU-churning and end-user-disrupting work with snapshots, the company didn’t realise it had been attacked for nearly 24 hours.
The steps that followed suggest swift escalation to the C-suite, but by the time incident response processes kicked in the data was gone.
With the company admitting its GDPR exposure, The Register imagines some dark days lie ahead of Timehop given the magnitude of penalties available under that regulation. ®