When Timehop, an app that resurfaces users’ old social media posts, learned that the personal information of its 21 million users had been stolen, the company knew it had to act fast.
In the past, companies have been able to take their time and even try to hide data leaks. But after the hack was confirmed last Thursday, Timehop was already on the clock.
The New York-based company has the dubious honor of being what is believed to be the first U.S company to suffer a security breach after new data privacy regulations in Europe, known as General Data Protection Regulation, went into effect on May 25.
Since Timehop handles data from some European users, the company is required to report any data breach to E.U. authorities within 72 hours or risk being fined as much as 4 percent of its annual revenue.
Rick Webb, chief operating officer of Timehop, said the company found Europe’s reporting requirements “more complex than buying a house — it was insane.”
“I’d say I’ve written about 30 pages, and we’ve probably already filed 70 or 80 pages.”
The race to report
Hackers broke into Timehop’s system on July 4 and stole user data, including a combination of names, email addresses and phone numbers. On Tuesday Timehop said dates of birth were also compromised; they would have been taken from Facebook if the user had given Timehop permission to access their Facebook account.
In the company’s rush to issue a report on the breach, and because of a miscommunication between the engineering and incident response teams, Timehop did not initially report that hackers had taken dates of birth.
Webb, Timehop CEO Matt Raoul, the engineering team and an incident response consultant gave NBC News an exclusive play-by-play on Tuesday of what happened in the hours and days after hackers broke into the third-party server that handles their data and knocked the app offline for an hour.
Webb said that generally companies balance the race to report security issues and the desire to be transparent with being conscious of their image and the need to make sure they have all the facts.
“If everybody in the world always disclosed in 72 hours, and it was routine for people to update later, then it wouldn’t be so bad,” Webb said. “But because it is so abysmal from a PR perspective to keep reporting, no one wants to be quick.”
“It’s a chicken-and-egg problem,” Webb said. “So we were like, ‘Screw it, I guess we’ll be the egg.’”
Since it is among the first U.S. companies to publicly disclose a data breach under GDPR, Timehop is in uncharted territory.
“I wish a resource was out there for us, that we could have seen someone else’s experience,” Raoul said. “Hopefully someone will get value out of this.”
On Tuesday, Timehop released a table showing the various combinations of data that were taken, broken down by European users covered by the new privacy regulations and the rest of the world.
While names, email addresses and phone numbers are relatively easy to discover, having that information, along with someone’s date of birth, can be used by savvy criminals to reverse engineer access to a person’s private accounts, said Robert Siciliano, a security analyst at Hotspot Shield.
Of their 21 million users, Timehop reported that 3.3 million had records showing that their name, email, phone number and date of birth had been stolen in the hack.
“While this information is relatively public, it is definitely personal, and in some cases can be deemed sensitive if it falls in the wrong hands,” Siciliano said. “Even today, companies are still asking consumers for their date of birth as a knowledge-based or qualifying question to get or give access when administering their accounts over the phone.”
Discovering the hack
Timehop’s meticulous logs have turned out to be a big help in alerting them to the hack and how it was carried out.
TimeHop discovered that its system had been breached in December, when a hacker accessed the system that runs the data for its cloud app but found nothing. The hacker then checked back in March and saw an empty database called “users,” which the company’s engineers were in the process of filling. The cybercriminal came back on June 22 and saw the system was full of information but waited until the Fourth of July holiday to make a move.
That set off security notifications, which attracted the attention of a Timehop engineer. He noticed Timehop’s password for its data service, which did not use two-factor authentication, had been changed and the app wasn’t working. He logged in, fixed it, got the app back online and didn’t take further action until he was back in the office the next day.
On the afternoon of July 5, over the course of four hours, the hack was confirmed and reported to various law enforcement agencies. Before publicly disclosing the breach, and well within the 72-hour deadline, Timehop reached out to its social media partners including Facebook, Twitter, Google and Foursquare to make sure tokens, which allow its app to access a user’s social media data, hadn’t been used maliciously and were reset.
The company’s incident consultant, who was called in on July 5, said they had not found any evidence that the stolen credentials had been sold or dumped online.
But that doesn’t necessarily mitigate a potential threat. Security professionals, including Siciliano, recommend that people practice security hygiene, including creating strong passwords, regularly changing them and turning on two-factor authentication when available, which sends a code to a user’s email or phone that is required to log in.