[img src=”/wp-content/uploads/sites/1097/2018/07/blog_180713_01_blogimg.png” class=”aligncenter”]
By Tanner Thering
In a Saturday July 7 blog post, social media company Timehop publicly revealed a July 4 security breach that resulted in the personal information of approximately 21 million users being compromised, including names, genders, dates of birth, email addresses, and phone numbers. The attack also temporarily exposed the keys Timehop uses to authorize access to other social media services, though all such keys have since been deauthorized and are thus no longer an active security threat.
If you are a Timehop user, it’s very important make sure your Timehop account, and all connected social media accounts, are secure. We recommend, at the very least, a password change for all connected accounts. Optimally, these passwords would be 12 or more random characters, and stored in an encrypted password locker such as LastPass. If any of your social media services offer two-factor authentication, we also recommend that you enable that feature.
For those unfamiliar, Timehop is an app that allows users to reshare their social media posts from years earlier. It’s a way to remember and share memories, like weddings and vacations. The company portrays itself as innocent and fun, with a cute cartoon dinosaur named Abe for a mascot. It’s hard to blame the average consumer for not thinking too much about security when using a service that seems so light, fun, and unserious. Who would perform a cyberattack against such a silly app?
Unfortunately, even companies that seem frivolous have information that hackers want to get their hands on. It might seem innocuous to give your date of birth to a company like Timehop, until a malicious actor sells it to someone trying to steal your identity.
Being in an industry that doesn’t seem attractive to hackers is not the same as cyber protection for your business. You don’t have to be a bank or insurance company or government to have data that bad people want to get their hands on. You don’t even have to even be an internet company like Timehop to be an attractive target! If you hold any data at all, there is a shady character in some corner of the world that can find a use for it.
Timehop appears to have fallen victim to a sense of complacency. According to their blog post regarding this incident, the security breach was enabled by a stolen password to a cloud computing account. The account would have most likely been secure even with a stolen password if multifactor authentication were enabled, but that feature was not turned on until after the hacker had done their damage. We advise people about this all the time, but it’s worth repeating: turn on multifactor authentication for all the accounts you can, before you become a victim.
Even if you don’t own or run an organization, valuable lessons can be taken from this incident. If you have an account with a company that has experienced a breach, change your password to a long string of characters stored in a password locker, and enable multifactor authentication. This isn’t a guarantee of security, but it will go a long way towards keeping you secure. If you do run an organization, though, this incident should be scary, and should alert you to the importance of keeping your internal processes secure, regardless of what your business does. Cyber security isn’t easy, but dealing with a data breach is much harder.