Check Your Accounts: Timehop, Macy’s, Bloomingdale’s, Domain Factory Announce Breach
Smartphone app Timehop, retailers Macy’s and sister company Bloomingdale’s, and Germany-based hosting provider Domain Factory announced that their systems were breached. According to a notification letter, an unauthorized third party gained access to Macy’s and Bloomingdale’s servers and stole customers’ personally identifiable information (PII) and payment details. All the identified enterprises have advised their subscribers to change their account passwords and reauthenticate all linked online accounts.
According to their statement, Macy’s and Bloomingdale’s security teams observed suspicious logins on June 12, and only then discovered that the attacker may have accessed their systems with a valid account to acquire their customer records from April 26 to June 12. While they stated that affected accounts were only limited to those who purchased products online and that no Social Security Numbers (SSNs) were taken, they confirmed that the stolen data included:
- First and last names
- Home addresses
- Phone numbers
- Email addresses
- Debit or credit card numbers with expiration dates (except Credit Verification Values or CVVs)
The retailers did not disclose the specific number of affected customers, but cited that they sent notifications via email, and that they will provide victims with identity protection concessions. They have blocked affected accounts until new passwords have been registered and new security measures have been installed. Users should observe their accounts for fraudulent purchases and report any unauthorized charges immediately.
The Timehop breach: Data of 21 million users stolen
Timehop discovered a network intrusion using valid access credentials on July 4 and found that the attacker stole the information (names, email addresses and phone numbers) of around 21 million users. Timehop stated that while they were able to block the breach two hours after discovery, their investigation showed that there has been no evidence that the attackers abused the stolen data. They emphasized data minimization limited the potential damage and that “no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.” The company has voided all social media authorization tokens held and alerted users that they have to reauthenticate all their linked accounts for a new token, and reassured the public that they will reinforce their systems with multi-factor authentication.
Domain Factory breached in January
Domain Factory stated that on July 3 an unknown actor claimed on the company forum that they were able to breach the provider’s systems and steal sensitive information. The company promptly closed the forum and found that an external actor accessed customers’ data on January 29. Stolen information include:
- Company name
- Phone numbers
- Email addresses
- Account passwords
- Bank names and account numbers (IBAN or BIC)
The statement cited that they patched the vulnerability on the same day they learned about the breach. Reports state that the attacker likely used a variant of Dirty Cow and is allegedly demanding the money owed him by the company. Customers are advised to change their Domain Factory, MySQL, SSH, FTP and Live disk passwords immediately, as their websites may also be prone to data leaks because of the attack.
Domain Factory and Timehop claimed that data protection authorities and affected businesses have been notified in accordance with the General Data Protection Regulation (GDPR), and are working on reinforcing their established security measures. Here are steps that businesses can employ to secure their systems:
- Secure your gateways and endpoints.
- Add layers of security such as two-factor authentication (2FA).
- Modify and verify privacy configuration settings. Limit those who have access to all databases to create an extra layer of protection to secure sensitive information.
- Enforce and practice the principle of least privilege. Employ firewalls, network segmentation, and data categorization to restrict attackers' movement within the system or network.
- Practice data minimization and encourage privacy by design.
[Read: Turning your data against you: Cybercrime’s new norm?]
Update: 12 July 2018
Timehop updated their report on the breach, enumerating the PII stolen by the attackers:
|Type of Data||Number of Stolen Data||Number of GDPR-Affected Data|
|Name, Email Address, Phone Number, Date of Birth (DoB)||3.3 million||174,000|
|Name, Email Address, Phone Number||3.4 million||181,000|
|Name, Email Address, DoB||13.6 million||2.2 million|
|Name, Phone Number, DoB||3.6 million||189,000|
|Name and Email Address||18.6 million||2.9 million|
|Name and Phone Number||3.7 million||198,000|
|Name and DoB||14.8 million||2.5 million|
|Name Total||20.4 million||3.8 million|
|DoB Total||15.5 million||2.6 million|
|Email Addresses Total||18.6 million||2.9 million|
|Gender Designation Total||9.2 million||2.6 million|
|Phone Numbers Total||4.9 million||243,000|
Timehop’s investigation also revealed that the attacker accessed their database in December 2017, March, April, June 22, and July 4, 2018. Forensic investigation also showed that the attacker had access to the database for more than 24 hours, and had been reprogramming processes in the User cluster such as changing access passwords. During this time, users were reporting black screens and service being down. A sudden spike in database reads alerted internal tools, which led to the discovery of the breach.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.