Astonishingly, the attack was possible because Timehop didn't itself use 2FA for its cloud computing login!
With the "access tokens", hackers could view some of the users' social media posts without their permission. "We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts". However, Timehop claims that the tokens were deauthorized and made invalid within a "short time window" and can not be used to gain access to users' social media profiles. We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. In a security advisory posted on its website, Timehop said it voided the keys used to read and show users their past social media posts a few hours after it detected the attack on its network on July 4th at 4:23 PM Eastern Time.
As of now, Timehop claims that there is no evidence of the stolen data being used.
If you're on AT&T, Sprint, or Verizon, you can do this by contacting your carrier to add a PIN to your account if you don't already have one. So evidently there was more than one vulnerable account for attackers to target.
For now, by way of explanation, it writes: "There is no such thing as ideal when it comes to cyber security but we are committed to protecting user data". Which does have a distinct "stable door being locked after the horse has bolted" feel to it.
Timehop first disclosed the cyberattack publicly in the Sunday blog post, several days after the breach unfolded.
As a result of the breach, you'll have to log back into Timehop next time you load up the app and reauthenticate each service you want to use with it.
Roger Federer Gives A Glimpse Of His Cricketing Credentials During Wimbledon Match
The 38-year-old American, last year's runner-up, was the oldest women's singles entrant in 2018. All 16 fourth round matches across the men's and women's events will be played on Monday.
Review any apps that have access to accounts such as Twitter, Facebook, Google Photos, and so forth.
"An email to the entire user base is in the works for today", he tells TechCrunch.
Some data was breached.
We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.
The company says there is no evidence that any of the stolen data has been used for criminal purposes, though of course any stolen email addresses and phone numbers could be abused in the future, dumped online for free, or sold on to other crooks in due course.
Timehop users who are anxious the network intrusion and data breach might have impact their "Streak" - aka the number Timehop displays to denote how many consecutive days they have opened the app - are being reassured by the company that "we will ensure all Streaks remain unaffected by this event".