Timehop's data breach risks running afoul of EU rules

Timehop's data breach risks running afoul of EU rules

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

When Timehop, an app that resurfaces users’ old social media posts, learned that the personal information of its 21 million users had been stolen, the company knew it had to act fast.

In the past, companies have been able to take their time and even try to hide data leaks. But after the hack was confirmed last Thursday, Timehop was already on the clock.

Hackers broke into Timehop’s system on July 4 and stole user data, including a combination of names, email addresses and phone numbers.Timehop

The New York-based company has the dubious honor of being what is believed to be the first U.S company to suffer a security breach after new data privacy regulations in Europe, known as General Data Protection Regulation, went into effect on May 25.

Since Timehop handles data from some European users, the company is required to report any data breach to E.U. authorities within 72 hours or risk being fined as much as 4 percent of its annual revenue.

Rick Webb, chief operating officer of Timehop, said the company found Europe’s reporting requirements “more complex than buying a house — it was insane.”

“I’d say I’ve written about 30 pages, and we’ve probably already filed 70 or 80 pages.”

The race to report

Hackers broke into Timehop’s system on July 4 and stole user data, including a combination of names, email addresses and phone numbers. On Tuesday Timehop said dates of birth were also compromised; they would have been taken from Facebook if the user had given Timehop permission to access their Facebook account.

In the company’s rush to issue a report on the breach, and because of a miscommunication between the engineering and incident response teams, Timehop did not initially report that hackers had taken dates of birth.

Webb, Timehop CEO Matt Raoul, the engineering team and an incident response consultant gave NBC News an exclusive play-by-play on Tuesday of what happened in the hours and days after hackers broke into the third-party server that handles their data and knocked the app offline for an hour.

Webb said that generally companies balance the race to report security issues and the desire to be transparent with being conscious of their image and the need to make sure they have all the facts.

“If everybody in the world always disclosed in 72 hours, and it was routine for people to update later, then it wouldn’t be so bad,” Webb said. “But because it is so abysmal from a PR perspective to keep reporting, no one wants to be quick.”

“It’s a chicken-and-egg problem,” Webb said. “So we were like, ‘Screw it, I guess we’ll be the egg.’”

Since it is among the first U.S. companies to publicly disclose a data breach under GDPR, Timehop is in uncharted territory.

“I wish a resource was out there for us, that we could have seen someone else’s experience,” Raoul said. “Hopefully someone will get value out of this.”

The data

On Tuesday, Timehop released a table showing the various combinations of data that were taken, broken down by European users covered by the new privacy regulations and the rest of the world.

While names, email addresses and phone numbers are relatively easy to discover, having that information, along with someone’s date of birth, can be used by savvy criminals to reverse engineer access to a person’s private accounts, said Robert Siciliano, a security analyst at Hotspot Shield.

Of their 21 million users, Timehop reported that 3.3 million had records showing that their name, email, phone number and date of birth had been stolen in the hack.

“While this information is relatively public, it is definitely personal, and in some cases can be deemed sensitive if it falls in the wrong hands,” Siciliano said. “Even today, companies are still asking consumers for their date of birth as a knowledge-based or qualifying question to get or give access when administering their accounts over the phone.”

Discovering the hack

Timehop’s meticulous logs have turned out to be a big help in alerting them to the hack and how it was carried out.

TimeHop discovered that its system had been breached in December, when a hacker accessed the system that runs the data for its cloud app but found nothing. The hacker then checked back in March and saw an empty database called “users,” which the company’s engineers were in the process of filling. The cybercriminal came back on June 22 and saw the system was full of information but waited until the Fourth of July holiday to make a move.

That set off security notifications, which attracted the attention of a Timehop engineer. He noticed Timehop’s password for its data service, which did not use two-factor authentication, had been changed and the app wasn’t working. He logged in, fixed it, got the app back online and didn’t take further action until he was back in the office the next day.

On the afternoon of July 5, over the course of four hours, the hack was confirmed and reported to various law enforcement agencies. Before publicly disclosing the breach, and well within the 72-hour deadline, Timehop reached out to its social media partners including Facebook, Twitter, Google and Foursquare to make sure tokens, which allow its app to access a user’s social media data, hadn’t been used maliciously and were reset.

The company’s incident consultant, who was called in on July 5, said they had not found any evidence that the stolen credentials had been sold or dumped online.

Timehop's data breach risks running afoul of EU rules

Timehop's data breach risks running afoul of EU rules

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

When Timehop, an app that resurfaces users’ old social media posts, learned that the personal information of its 21 million users had been stolen, the company knew it had to act fast.

In the past, companies have been able to take their time and even try to hide data leaks. But after the hack was confirmed last Thursday, Timehop was already on the clock.

Hackers broke into Timehop’s system on July 4 and stole user data, including a combination of names, email addresses and phone numbers.Timehop

The New York-based company has the dubious honor of being what is believed to be the first U.S company to suffer a security breach after new data privacy regulations in Europe, known as General Data Protection Regulation, went into effect on May 25.

Since Timehop handles data from some European users, the company is required to report any data breach to E.U. authorities within 72 hours or risk being fined as much as 4 percent of its annual revenue.

Rick Webb, chief operating officer of Timehop, said the company found Europe’s reporting requirements “more complex than buying a house — it was insane.”

“I’d say I’ve written about 30 pages, and we’ve probably already filed 70 or 80 pages.”

The race to report

Hackers broke into Timehop’s system on July 4 and stole user data, including a combination of names, email addresses and phone numbers. On Tuesday Timehop said dates of birth were also compromised; they would have been taken from Facebook if the user had given Timehop permission to access their Facebook account.

In the company’s rush to issue a report on the breach, and because of a miscommunication between the engineering and incident response teams, Timehop did not initially report that hackers had taken dates of birth.

Webb, Timehop CEO Matt Raoul, the engineering team and an incident response consultant gave NBC News an exclusive play-by-play on Tuesday of what happened in the hours and days after hackers broke into the third-party server that handles their data and knocked the app offline for an hour.

Webb said that generally companies balance the race to report security issues and the desire to be transparent with being conscious of their image and the need to make sure they have all the facts.

“If everybody in the world always disclosed in 72 hours, and it was routine for people to update later, then it wouldn’t be so bad,” Webb said. “But because it is so abysmal from a PR perspective to keep reporting, no one wants to be quick.”

“It’s a chicken-and-egg problem,” Webb said. “So we were like, ‘Screw it, I guess we’ll be the egg.’”

Since it is among the first U.S. companies to publicly disclose a data breach under GDPR, Timehop is in uncharted territory.

“I wish a resource was out there for us, that we could have seen someone else’s experience,” Raoul said. “Hopefully someone will get value out of this.”

The data

On Tuesday, Timehop released a table showing the various combinations of data that were taken, broken down by European users covered by the new privacy regulations and the rest of the world.

While names, email addresses and phone numbers are relatively easy to discover, having that information, along with someone’s date of birth, can be used by savvy criminals to reverse engineer access to a person’s private accounts, said Robert Siciliano, a security analyst at Hotspot Shield.

Of their 21 million users, Timehop reported that 3.3 million had records showing that their name, email, phone number and date of birth had been stolen in the hack.

“While this information is relatively public, it is definitely personal, and in some cases can be deemed sensitive if it falls in the wrong hands,” Siciliano said. “Even today, companies are still asking consumers for their date of birth as a knowledge-based or qualifying question to get or give access when administering their accounts over the phone.”

Discovering the hack

Timehop’s meticulous logs have turned out to be a big help in alerting them to the hack and how it was carried out.

TimeHop discovered that its system had been breached in December, when a hacker accessed the system that runs the data for its cloud app but found nothing. The hacker then checked back in March and saw an empty database called “users,” which the company’s engineers were in the process of filling. The cybercriminal came back on June 22 and saw the system was full of information but waited until the Fourth of July holiday to make a move.

That set off security notifications, which attracted the attention of a Timehop engineer. He noticed Timehop’s password for its data service, which did not use two-factor authentication, had been changed and the app wasn’t working. He logged in, fixed it, got the app back online and didn’t take further action until he was back in the office the next day.

On the afternoon of July 5, over the course of four hours, the hack was confirmed and reported to various law enforcement agencies. Before publicly disclosing the breach, and well within the 72-hour deadline, Timehop reached out to its social media partners including Facebook, Twitter, Google and Foursquare to make sure tokens, which allow its app to access a user’s social media data, hadn’t been used maliciously and were reset.

The company’s incident consultant, who was called in on July 5, said they had not found any evidence that the stolen credentials had been sold or dumped online.

Syria war: Government attacks IS enclave in south-west

Syria war: Government attacks IS enclave in south-west

Syrian government and Russian forces are reportedly attacking an enclave held by the jihadist group Islamic State (IS) in south-western Syria.

Activists and a monitoring group said aircraft were bombing the Yarmouk Basin area, which borders Jordan and the Israeli-occupied Golan Heights.

The militants are said to have counter-attacked, targeting nearby villages.

The fighting comes after the government recaptured most of the surrounding province of Deraa from rebel factions.

Rebel commanders agreed on Friday to surrender their heavy weapons and begin handing over towns as part of a Russian-brokered agreement.

In return, the Russian military is believed to have guaranteed the safe return of the 320,000 civilians who fled their homes after the government’s offensive began on 19 June, as well as the evacuation to rebel-held parts of north-western Syria for people who wish to leave.

An IS-affiliated group, the Khalid Ibn al-Walid Army, has controlled the south-western corner of Deraa province since 2014, when jihadists overran vast swathes of Syria and neighbouring Iraq and proclaimed the establishment of a “caliphate”.

IS was not covered by last week’s ceasefire deal and on Wednesday its positions in the Yarmouk Basin was subjected to air strikes and artillery fire.

The Syrian Observatory for Human Rights, a UK-based monitoring group, said Russian warplanes had targeted the town of Saham al-Golan early on Wednesday and that government helicopters had also dropped barrel bombs on the area.

In retaliation, IS militants attacked Hait, a rebel-held town that recently agreed to return to surrender, it added.

The pro-opposition Horan Free Media group reported that IS artillery fire killed four children and a woman in Hait.

Syrian state media meanwhile reported that troops were advancing towards Tal al-Ashari, Jallain and Zaizoun, rebel-held villages in Deraa’s western countryside that have agreed to surrender.

On Tuesday, IS claimed it had carried out a suicide bombing in Zeizoun.

An IS statement said the attack had targeted a gathering of Russian and Syrian troops, killing more than 35 of them. But the Syrian Observatory said the attack put the death toll at 14 and said they were soldiers and rebel fighters “who recently reconciled” with the government.

Thousands of civilians have reportedly fled the Yarmouk Basin in anticipation of a government ground assault and headed towards the frontier with the occupied Golan Heights, which Israel captured from Syria during the 1967 Middle East war.

Up to 190,000 people displaced by the assault on rebel-held areas are also gathered near the armistice line, according to the United Nations. Many do not have any shelter, leaving them exposed to harsh weather conditions, such as dusty desert winds and high temperatures.

The Syrian army’s advance towards the occupied Golan Heights has also alarmed Israeli officials, who believe it may attempt to deploy soldiers along the frontier in defiance of a 1974 Separation of Forces Agreement that created a buffer zone patrolled by UN peacekeepers.

On Wednesday, the Israeli military said it had launched a Patriot missile at a drone launched from Syria, setting off air defence sirens in Israeli communities.

Israeli Prime Minister Benjamin Netanyahu meanwhile flew to Moscow to discuss “Syria, Iran and Israel’s security needs” with Russian President Vladimir Putin.

Iran, Israel’s arch-enemy, has deployed hundreds of troops to Syria, ostensibly as advisers to the government. Thousands of Shia militiamen armed, trained and financed by Iran have also been battling rebels alongside the Syrian army.

Mr Netanyahu has vowed to stop what he considers Iranian “military entrenchment” in Syria and has ordered a number of air strikes on Iranian facilities.

Cave rescue: First pictures of Thai boys in hospital

Cave rescue: First pictures of Thai boys in hospital

Video footage has emerged of a group of Thai footballers recovered from a huge cave complex in a dramatic rescue operation.

The boys were shown recovering in hospital, where they gave victory signs, as people watched from an adjoining room.

Pictures courtesy of the Thai government public relations department.

Donald Trump baby blimp ready to take first steps

Donald Trump baby blimp ready to take first steps

A controversial blimp, that will fly to protest US president Donald Trump’s visit, is ready for launch, its organisers told the Victoria Derbyshire programme.

London Mayor Sadiq Khan has given permission for the helium-filled six-metre (19.7ft) high balloon to fly.

Campaigners raised almost £18,000 to pay for the inflatable and more than 10,000 people signed a petition calling for the inflatable to be given permission to fly, but some have described it as “a disgrace” and “disrespectful.”

Germany's 'Nazi bride' gets life sentence for 10 racist killings

Germany's 'Nazi bride' gets life sentence for 10 racist killings

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

Germany’s “Nazi bride” was found guilty on 10 counts of murder on Wednesday for her role in a neo-Nazi gang that carried out killings and bombings over seven years.

Beate Zschaepe, 43, was sentenced to life in prison by a court in Munich, Reuters reported.

It marked the end of one of Germany’s highest-profile and longest-running neo-Nazi trials.

Zschaepe is the sole surviving member of a white supremacist terrorist cell that called itself the National Socialist Underground (NSU).

From 2000 to 2007, the three-member group was behind at least 10 murders — killing eight men of Turkish origin, a Greek migrant and a German female police officer — as well as carrying out two bombings in immigrant areas of Cologne and 15 bank robberies, according to prosecutors.

Activists hold banners with the portraits of the NSU victims outside the Oberlandesgericht courthouse on the day judges are to announce their verdict in the marathon NSU neo-Nazi murder trial on July 11, 2018 in Munich, GermanyAndreas Gebert / Getty Images

The two other known members of the cell, Uwe Mundlos and Uwe Boehnhardt, were found dead in an apparent murder-suicide after a bungled bank robbery in 2011. It was only then that investigators linked the killings and realized they were carried out by the same group.

Zschaepe turned herself in to police shortly after and has been on trial since 2013.

She denied the killings, speaking only twice during more than 400 days of hearings in the five-year case. She did apologize to the victims’ families and said she felt morally responsible for not stopping Mundlos and Boehnhardt.

“I am a compassionate person and was able to see and feel the distress and despair of the families,” she said in her closing statement to court last week.

In her only other testimony, she had previously denied being part of NSU altogether and claimed to have been horrified when the other two members told her about the killings.

Zschaepe’s lawyers had urged the court to convict her of the lesser charges of arson and robbery.