As IT specialists, we are constantly reminding all of our clients of the importance of good security practices, especially when using cloud services. An incident last week, however, should be a reminder to everyone that it’s not only our work accounts we need to keep secure but our personal apps too.
TimeHop is a popular Facebook add-on application which, once granted access, is able to view all of your Facebook posts and photos, and post to your timeline. The company behind TimeHop has notified its users that, on 4th July 2018, they suffered a network intrusion that led to the loss of some 21 million users’ personal data including names, addresses and telephone numbers, as well as the private cryptographic keys used by the app to access your Facebook profile.
What has the company done?
TimeHop says that they detected the attack while it was in progress and were able to stop it, albeit not before some data had been compromised. In a statement, the company said that the breach happened because TimeHop had failed to enable multifactor authentication on one of their cloud computing accounts (something which they have now done).
If you are a TimeHop user, you will notice that you now have to re-authenticate the app. That’s because TimeHop has deactivated all of the security tokens which gave the app access to users’ Facebook profiles.
What personal data was lost?
The breach itself compromised the personal data of 21 million people – making it one of the largest single data breaches in history. The lost data includes:
• Names
• Telephone numbers
• Email addresses
TimeHop does not collect any other data themselves, but that does not mean that your other personal information is safe. The hackers who breached TimeHop’s systems were able to access security tokens which would – before they were deactivated by TimeHop themselves – have allowed them to see any posts on your Facebook account.
So, if you’re one of the 21 million whose accounts were compromised, you should consider your Facebook account – and any information you have ever shared with the social network – compromised too.
Advice to users
If you used your telephone number to login to TimeHop (which will likely be the case if you also use it to log in to Facebook) then it is likely that it has been compromised along with your name and email address.
TimeHop advises users to add security measures to their mobile phone account and email account in order to guard against unauthorised access.
As a matter of common sense, you should also review and update the security settings of your Facebook and other online accounts. Wherever possible, you should enable multifactor authentication to increase your protection against unauthorised access.
Overall, you should consider whether it is really a good idea to allow applications such as TimeHop – many of which are completely unvetted – access to your Facebook account at all. Facebook’s own security settings include an option to block all third-party apps and websites from interacting with your account. In light of this breach, and recent similar events, users are well advised to consider the option to block all apps.
Consilium have partnered with Palo Alto networks to provide Network security services throughout the network environment from the End User, into back-end infrastructure. We also Specialise in User and Application controls, and examination of Sanctioned SaaS Services for potential data leaks and threats.
If you require further information about this, or you are looking for a business that can provide you with the IT support you need, look no further than Consilium UK.
