If you're a Timehop user, we've
got some really bad news. The app, which reminds you of your past social media
postings, says it was hacked on July 4.
Timehop says some 21 million
users are affected by the data breach, which exposed information such as names,
email addresses, and phone numbers.
In a company blog post,
Timehop says although it learned of the hack while it was happening and was
able to interrupt it, "data was taken."
The cause of the hack:
Apparently, the company's cloud computing account wasn't protected by
multi-factor authentication. Timehop says it's beefed up its security since the
incident.
(Now's a good time to remind
you to set
up two-factor authentication, aka 2FA, to protect your data for any apps
and services that support it. There's really no reason not to.)
Timehop says the
"keys" that are used to link your social media accounts to the app
were breached. As a result, the company's logged all users out of the app to
reset the keys. Users will need to log back into all their accounts to re-link
them.
"Timehop has never
stored your credit card or any financial data, location data, or IP addresses;
we don’t store copies of your social media profiles, we separate user
information from social media content — and we delete our copies of your
“Memories” after you’ve seen them."
Your
social media content is safe
Aside from the
aforementioned names, email, addresses, and phone numbers, it appears all other
data is safe.
"No private/direct
messages, financial data, or social media, or photo content, or Timehop data
including streaks were affected," the blog post states.
Additionally, the company
says no social media posts were accessed by the intruders. That covers any data
from third-party services you may have linked to Timehop, such as Facebook,
Instagram, Twitter, Google Photos, Swarm, Dropbox, etc.
How
to protect your potentially stolen phone number
There are two ways to log
into Timehop: with a Facebook account or your phone number.
If, like me, you use
Facebook to log into the app, your phone number is safe.
"FB’s API wouldn’t have
given a phone number to us, nor would it allowed the use of a phone number to
access anything," Rick Webb, Timehop's COO, confirmed to Mashable over
email. "On top of that, the tokens were invalidated before used."
However, if you use your
phone number as your sign-in, then it's been stolen by the hackers and you'll
want to take extra measures to protect it from being ported. As 9to5Mac
notes, ported numbers could be used to obtain 2FA codes for bank accounts.
"Those who use a phone
number as a login had their phone number compromised, but it is unrelated to
their FB credentials," Webb said.
Timehop says of the 21
million accounts that are affected by the hack, about 4.7 million of them have
a phone number attached to them.
Here's what Timehop
recommends doing if you use your phone number as your login:
If AT&T, Verizon, or Sprint is your
provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do
this.
If you have T-Mobile as your provider,
call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care
representative to assist with limiting portability of your phone number.
For all other providers, please contact
your cell carrier and ask them how to limit porting or add security to your
account.
Should
you be worried?
Maybe.
Even though Timehop has increased
its security, the stolen data could still surface online. If your account is
affected, make sure you keep an eye out for any suspicious activity.
Timehop even warns there's a
good chance the stolen data could surface (emphasis ours):
Timehop
has retained the services of a well established cyber threat intelligence
company that has been seeking evidence of use of the email addresses, phone
numbers, and names of users, and while none have appeared to date, it is
a high likelihood that they soon will appear in forums and be included in lists
that circulate on the Internet and the Dark Web.
If you don't use Timehop,
now's a good time to either delete your account or de-authorize any connected
social media accounts. Both can be done from within the app's settings page.
Comments
Post a Comment