Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:15 PM
Connect Directly

Data Breaches at Timehop, Macy's Highlight Need for Multi-Factor Authentication

Names, email addresses, and some phone numbers belonging to 21 million people exposed in Timehop intrusion; Macy's incident impacts 'small number' of customers.

Two new data breaches revealed this week — one at Timehop and the other at Macy's — have once again focused attention on the continuing failure by many enterprises to implement strong authentication for controlling access to critical accounts.

Timehop, a service that helps users of Facebook and other social media platforms share nostalgic moments from old posts, on Sunday said someone using an access credential to its cloud account had illegally accessed names and email addresses belonging to some 21 million users. Phone numbers belonging to about 22%, or 4.7 million of them, were also compromised in the network intrusion the company said.

Timehop blamed the breach on its failure to use strong authentication to protect the cloud administrator account that was beached.

Meanwhile, the intrusion at Macy's appears to have resulted from a similar authentication weakness. In an emailed statement, the company described the incident as impacting a "small number" of customers who shopped online at macys.com and bloomingdales.com. Macy's said it had implemented additional security measures and contacted all impacted customers but offered no other details about the incident.

However, MediaPost, the first to report on the breach, said Macy's had blamed an unnamed third-party for accessing the data from an external location using valid login credentials.

The two breaches are similar to many in recent years involving the use of legitimate credentials to access and steal enterprise data. Often, the threat actors behind the attacks have first stolen the credentials or obtained them via social engineering, and then used them to access the target network.

A May 2018 report by cloud security vendor RedLock found that 27% of organizations in fact have experienced potential account compromises. Over the last year alone, several major enterprises including Uber, Tesla, Gemalto, and Aviva have experienced incidents where access credentials have been leaked or stolen, RedLock noted. Security experts have said that such breaches heighten the need for organizations to use strong authentication for controlling access to critical assets.

"Multi-factor authentication solutions have been around for over a decade. Yet many critical systems remain unprotected," says Dana Tamir, vice president of market strategy at Silverfort. Many organizations have continued to drag their heels on implementing the measure for a variety of reasons.

Tokens Taken, Too

According to Timehop, in addition to the data on 21 million users, the attackers also managed to steal the unique tokens provided by social media companies to Timehop so it can read other people's old social media posts. The tokens would have allowed the attacker to view the social media posts of the impacted users, without their permission. However, there is no evidence that the attacker actually used the tokens to illegally access user accounts or any of their data.

Timehop discovered the intrusion while it was in progress and managed to lock out the attackers slightly more than two hours later. Since then the company has implemented multifactor authentication to secure authorization and access controls across all of its internal accounts. Timehop has also deactivated all the compromised access tokens so they can no longer be misused.  

As a result of these changes, users will have to log in and re-authenticate to Timehop's service for each social media account, the company said.

"Strong MFA can prevent account takeovers, such as the ones seen in the Macy's and TimeHop breaches," says Will LaSala, security evangelist at OneSpan.

Just about every IT administrator already knows this, but often there are factors at play that make it hard for organizations to deploy MFA easily, he says. "When breaches like these occur, it is easy to point out that the IT professional missed the obvious security concern. But it is less easy to see why those concerns were overlooked in the first place," LaSala says.

One challenge is that most multi-factor authentication products require organizations to deploy software on both the server and user endpoints, says Tamir. Modern IT infrastructures are also becoming increasingly dynamic, and new servers are often spun up and down in these environments in just a few minutes.

"This makes it difficult to ensure authentication software is installed and configured for each server," she notes. Requiring software on various user endpoint platforms similarly is problematic due to BYOD trends and the dynamic nature of mobile device use.

Sometimes, organizations might have to implement MFA products from multiple vendors due to the nature of their technology infrastructure — increasing costs and complexity in the process. And in some environments, as with critical servers on industrial OT networks and SCADA environments or certain financial systems, it isn't possible to deploy any MFA software at all, she says.

Related Content:




Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/10/2018 | 9:09:41 AM
Re: Culture > MFA
I agree but I would also note that even with valid credentials some MFA solutions that require both a mobile token and answering a revolving question from a pool of pre-configuered questions could still stop such intrusions.  Additionally, while still young, risk-based authentication (RBA) on top of that could also help weed out bad actors with valid credentials. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
7/9/2018 | 8:10:20 PM
Culture > MFA
While MFA could certainly have prevented or mitigated the damage from these breaches or breaches like these, in my experience these types of breaches tend to have a more fundamental cause beyond a lack of MFA: a lack of a good security culture that led to exploitable weaknesses to begin with.

Case in point here: securitynow.com/author.asp?section_id=613&doc_id=734774
User Rank: Ninja
7/9/2018 | 7:13:05 PM
Improvements in MFA Could Help
Since I don't design solutions, I haven't put too much deep thought into this yet, but over the last year I documented the following statistics and I can see why end users are getting MFA over MFA.  While we are well aware of the need for MFA and similar forms of security, our end users are simply seeing numbers like this and resisting.  Some have the smarts to bypass some MFA (though these days the majority of solutions are too smart to bypass) or simply STOP using some sites as often as they need to or should because of numbers like this.  Call me lazy but even for me, a seasoned techie, this seems like a lot of robot calls answered, lots of texts and browser codes entered.

MFA Contacts over 12 Months

MFA Cell Phone Calls:   2,803

MFA Cell Phone Texts: 1,741

MFA Browser-Delivered Codes: 972

But, let's assume the end user complaints have nothing to do with a company choosing to implement MFA (let's be honest, how many orgs really listen to their end-users anyway). The article notes one reason many companies might be skipping the MFA step in their security plan, which is the need for software on both the server and user endpoints. I was involved in an MFA implementation and it became quite complicated. A software install on the server, followed by embedded web code, and then an end-user desktop install on top of a mobile token app.

Again, not a solutions designer but some improvements in MFA could help get organizations to 100% implementation (despite end-user complaints).

More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID...
PUBLISHED: 2021-01-19
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML Exte...
PUBLISHED: 2021-01-19
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
PUBLISHED: 2021-01-19
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.