On July 4, popular social media app Timehop suffered a security breach that exposed the data of over 21 million users worldwide. The company released an official statement on July 9, highlighting the details of the breach which includes the number of affected users and the type of information exposed. Timehop initially claimed the hackers only stole the names, email addresses, and phone numbers.
On July 11, the company updated their official statement as they reveal how the hackers got more data than what was initially announced. The stolen data now includes gender, language, country of origin, and date of birth—information that are crucial for identity theft. Why did they withhold this discovery? As the company puts it, they “messed up” by announcing the breach without knowing the full scope of the breach.
How did the breach happen? “The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts,” Timehop explained in their statement. Cool story, bro.
But seriously, why didn’t they activate their multi-factor authentication on their cloud server in the first place? Based on the timeline presented by Timehop, the breach started way back in December 2017 as the hacker was able to gain access to an admin user’s credentials. The hacker then created an admin account of his own and surveyed the data for over 7 months before executing the breach. Imagine all this trouble, all because multi-factor authentication wasn’t activated.
Passwords Aren’t Always Enough
Companies are probably sick of hearing this sentiment from cybersecurity experts, but they can’t argue how important it is. Timehop probably thought they had a strong password for their cloud accounts, but passwords can be cracked, no matter how strong it is. And sure, hackers have yet to find a way to crack long and complicated passwords in a shorter amount of time, but are we really going to wait for them to catch up before we do something about our cybersecurity?
Enter multi-factor authentication. With this technology, companies can add layers of protection to all the things that need protection: servers, sensitive data, social media accounts, and others. Activating multi-factor authentication compliments strong password policies for every member of an organization, regardless of departments and positions. And MFA is easy to implement anyway. Not sure how where to start? Let certificate authorities like GlobalSign help you out.
“We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services; revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment,” Timehop wrote on their report.
Hopefully, more companies realize the importance of MFA in securing their data and preventing incidents like these. Learn more about multi-factor authentication by signing up for our free white paper. To find out what GlobalSign can offer your organization in terms of online security, visit our official website.