INSUBCONTINENT EXCLUSIVE:
Timehop is admitting that additional personal information was compromised in a data breach on July 4.The company first acknowledged the
breach on Sunday, saying that users& names, email addresses and phone numbers had been compromised
Today it said it that additional information, including date of birth and gender, was also taken.To understand what happened, and what
Timehop is doing to fix things, I spoke to CEO Matt Raoul, COO Rick Webb and the security consultant that the company hired to manage its
(The security consultant agreed to be interviewed on-the-record on the condition that they not be named.)To be clear, Timehop isn&t saying
that there was a separate breach of its data
Instead, the team has discovered that more data was taken in the already-announced incident.Why didn&t they figure that out sooner In an
updated version of its report (which was also emailed to customers), the company put it simply: &Because we messed up.& It goes on:In our
enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything
With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior
engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear
that there was more information in the tables than we had originally disclosed
This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon
as it became available.In both the email and my interviews, the Timehop team noted that the service does not have any financial information
from users, nor does it perform the kinds of detailed behavioral tracking that you might expect from an ad-supported service
The team also emphasized that users& &memories& — namely, the older social media posts that people use Timehop to rediscover — were not
compromised.How can they be sure, particularly since some of the compromised data was overlooked in the initial announcement Well, the
breach affected one specific database, while the memories are stored separately.&That stuff is what we cared about, that stuff was
The challenge is, &We have to make a mental note to think about everything else.&The breach occurred when someone accessed a database in
Timehop cloud infrastructure that was not protected by two-factor authentication, though Raoul insisted that the company was already using
two-factor quite broadly — it just that this &fell through the cracks.&It also worth noting that while 21 million accounts were affected,
Timehop had varying amounts of data about different users
For example, it says that 18.6 million email addresses were compromised (down from the &up to 21 million& addresses first reported),
compared to 15.5 million dates of birth
In total, the company says 3.3 million records were compromised that included names, email addresses, phone numbers and DOBs.None of those
things may seem terribly sensitive (anyone with a copy of my business card and access to Google could probably get that information about
me), but the security consultant acknowledged that in the &very, very small percentage& of cases where the records included full names,
email addresses, phone numbers and DOBs, &identity theft becomes more likely,& and he suggested that users take standard steps to protect
themselves, including password-protecting their phones.Meanwhile, the company says that it worked with the social media platforms to detect
activity that used the compromised authorization tokens, and it has not found anything suspicious
At this point, all of the tokens have been deauthorized (requiring users to re-authorize all of their accounts), so it shouldn&t be an
ongoing issue.As for other steps Timehop is taking to prevent future breaches, the security consultant told me the company is already in the
process of ensuring that two-factor authentication is adopted across the board and encrypting its databases, as well as improving the
process of deploying code to address security issues.In addition, the company has shared the IP addresses used in the attack with law
enforcement, and it will be sharing its &indicators of compromise& with partners in the security community.Everyone acknowledged that
Timehop made real mistakes, both in its security and in the initial communication with customers
(As the consultant put it, &They made a schoolboy mistake by not doing two-factor authentication.&) However, they also suggested that their
response was guided, in part, by the accelerated disclosure timeline required by Europe GDPR regulations.The security consultant told me,
&We haven&t had the time to do the fine-toothed comb kinds of things we normally want to do,& like an in-depth forensic analysis
Those things will happen, he said — but thanks to GDPR, the company needed to make the announcement before it had all the information.And
overall, the consultant said he been impressed by Timehop response.&I think it really says a lot to their integrity that they decided to go
fully public the second they knew it was a breach,& he said
&I want to point out these guys responded within 24 hours with a full-on incident response and secured their environments
That better than so many companies.&
