A security breach at social media memories app Timehop last week is an example of how multifactor authentication (MFA) could prevent malicious actors from accessing cloud environments, even if they possess the admin credentials for a company’s cloud account.
Timehop detected the network intrusion on July 4, and stopped it two hours later, but not before personal data belonging to 21 million of its users was accessed. The company said that the breach occurred because an access credential to its cloud environment was compromised, and the cloud account had not been protected by multifactor authentication.
Multifactor authentication requires users to present two or more factors correctly before they are allowed access to an account: knowledge (something they know, like a password), possession (something they have, like a debit card or FOB), and something they are (facial recognition or fingerprint).
Founded in 2011, Timehop is a smartphone app the collects old photos and posts from Facebook, Instagram, Twitter and Dropbox, and resurfaces the old memories for users to share on social media. To work, its APIs access disparate social media accounts to see users’ posts.
Hackers stole these “access tokens” provided to Timehop by its social media providers, which could allow a malicious actor to view users’ social media posts without permission. These tokens have been disabled and can no longer be used, and the company said that there is no evidence of any unauthorized access of user data through these tokens.
In a notice to customers informing them of the security breach, Timehop said it has now taken steps, including adding multifactor authentication to all accounts in all cloud-based services, to secure access controls on its accounts. It is also working with its cloud provider to “inform of the incident and the actions taken, and to request follow-on assistance.”
Users’ personal data -- including names, some email addresses and some phone numbers -- was compromised. No credit card data was stolen as part of the breach. Timehop said some users may experience issues loading content and will need to reauthenticate.
James Lerud, head of behavioral research at cybersecurity platform Verodin, said in an emailed statement that Timehop should be commended for its transparency and rapid response time to the incident, but since the first unauthorized login took place over seven months ago, it could indicate that the password had not been changed in six months.