Monday, July 09, 2018
Probably email addresses, not the emails. Note that they immediately identified a more secure method for authenticating their Admins. Why didn’t they use that from the beginning?
Timehop Security Breach Affects the Company’s Entire 21 Million Userbase
Timehop, a mobile app that surfaces old social media posts from the same day but from previous years, has announced a security breach affecting its entire userbase of over 21 million users.
Not all users were affected to the same extent. The company said a hacker gained access to its infrastructure and stole details on its users that included usernames, emails, telephone numbers, and access keys.
Timehop says that not all users had an email address or phone number attached to their account.
… Further, not all usernames contained users’ real names.
Nonetheless, the hacker stole the access keys for all 21 million users. These access keys link the Timehop account to various social media accounts from where Timehop pulls older social media posts and images.
… The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure.
According to preliminary evidence from the investigation, the intrusion took place on December 19, 2017, when a hacker gained access to an admin account for Timehop’s cloud infrastructure. Timehop says it failed to secure that account with multi-factor authentication, making the attack possible.
… The hacker logged into this account on four separate days in December 2017 and March and June 2018, during which it carried out reconnaissance operations.
The intrusion went undetected until July 4, when the intruder started exfiltrating the company’s database. Timehop says it detected the operation and cut off the hacker’s access two hours and nineteen minutes later.
The company said it now secured all accounts with multi-factor authentication to prevent further intrusions.
Another side of identity theft.
Oprah, Is That You? On Social Media, the Answer Is Often No.
Kip Moore, a country music singer-songwriter with hits like “Beer Money” and “Hey Pretty Girl,” has had some disturbing experiences with fans lately.
At some shows, women have approached him demanding to know why he stopped chatting with them on Instagram or Facebook. Some said they left their husbands to be with him after he said he loved them. Now they could be together, the women told him.
“They’re handing me a letter, you know, ‘Here’s the divorce papers. I’ve left so and so,’” Mr. Moore, 38, said. “If I check my inbox right now, I’d have hundreds of these messages. But I try not to check it, because it disheartens me.”
Mr. Moore, fueled by his country music fame, is a victim of what has become a widespread phenomenon: identity theft on social media. Recent searches found at least 28 accounts impersonating him on Facebook and at least 61 on Instagram. Many of the accounts send messages to his fans promising love and asking for money. Those who get duped often direct their anger at the real Mr. Moore.
… To get a sense of the scale of the problem, The New York Times commissioned an analysis to tally the number of impersonators across social media for the 10 most followed people on Instagram, including Beyoncé and Taylor Swift. The analysis, conducted by Social Impostor, a firm that protects celebrities’ names online, found nearly 9,000 accounts across Facebook, Instagram and Twitter pretending to be those 10 people.
I may ask my students to read and analyze one of the privacy policies they have already agreed to.
How to Read Long Privacy Policies the Easy Way
Trying to understand…
Law Review Article – Carpenter v. United States: Big Data is Different
Carpenter v. United States, 585 U.S. ___ (2018) (Roberts, C.J.). Response by Margot E. Kaminski Geo. Wash. L. Rev. On the Docket (Oct. Term 2017) Slip Opinion | SCOTUSblog
“A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in Carpenter v. United States, the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts’s opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law.”