Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:15 PM
Connect Directly

Data Breaches at Timehop, Macy's Highlight Need for Multi-Factor Authentication

Names, email addresses, and some phone numbers belonging to 21 million people exposed in Timehop intrusion; Macy's incident impacts 'small number' of customers.

Two new data breaches revealed this week — one at Timehop and the other at Macy's — have once again focused attention on the continuing failure by many enterprises to implement strong authentication for controlling access to critical accounts.

Timehop, a service that helps users of Facebook and other social media platforms share nostalgic moments from old posts, on Sunday said someone using an access credential to its cloud account had illegally accessed names and email addresses belonging to some 21 million users. Phone numbers belonging to about 22%, or 4.7 million of them, were also compromised in the network intrusion the company said.

Timehop blamed the breach on its failure to use strong authentication to protect the cloud administrator account that was beached.

Meanwhile, the intrusion at Macy's appears to have resulted from a similar authentication weakness. In an emailed statement, the company described the incident as impacting a "small number" of customers who shopped online at macys.com and bloomingdales.com. Macy's said it had implemented additional security measures and contacted all impacted customers but offered no other details about the incident.

However, MediaPost, the first to report on the breach, said Macy's had blamed an unnamed third-party for accessing the data from an external location using valid login credentials.

The two breaches are similar to many in recent years involving the use of legitimate credentials to access and steal enterprise data. Often, the threat actors behind the attacks have first stolen the credentials or obtained them via social engineering, and then used them to access the target network.

A May 2018 report by cloud security vendor RedLock found that 27% of organizations in fact have experienced potential account compromises. Over the last year alone, several major enterprises including Uber, Tesla, Gemalto, and Aviva have experienced incidents where access credentials have been leaked or stolen, RedLock noted. Security experts have said that such breaches heighten the need for organizations to use strong authentication for controlling access to critical assets.

"Multi-factor authentication solutions have been around for over a decade. Yet many critical systems remain unprotected," says Dana Tamir, vice president of market strategy at Silverfort. Many organizations have continued to drag their heels on implementing the measure for a variety of reasons.

Tokens Taken, Too

According to Timehop, in addition to the data on 21 million users, the attackers also managed to steal the unique tokens provided by social media companies to Timehop so it can read other people's old social media posts. The tokens would have allowed the attacker to view the social media posts of the impacted users, without their permission. However, there is no evidence that the attacker actually used the tokens to illegally access user accounts or any of their data.

Timehop discovered the intrusion while it was in progress and managed to lock out the attackers slightly more than two hours later. Since then the company has implemented multifactor authentication to secure authorization and access controls across all of its internal accounts. Timehop has also deactivated all the compromised access tokens so they can no longer be misused.  

As a result of these changes, users will have to log in and re-authenticate to Timehop's service for each social media account, the company said.

"Strong MFA can prevent account takeovers, such as the ones seen in the Macy's and TimeHop breaches," says Will LaSala, security evangelist at OneSpan.

Just about every IT administrator already knows this, but often there are factors at play that make it hard for organizations to deploy MFA easily, he says. "When breaches like these occur, it is easy to point out that the IT professional missed the obvious security concern. But it is less easy to see why those concerns were overlooked in the first place," LaSala says.

One challenge is that most multi-factor authentication products require organizations to deploy software on both the server and user endpoints, says Tamir. Modern IT infrastructures are also becoming increasingly dynamic, and new servers are often spun up and down in these environments in just a few minutes.

"This makes it difficult to ensure authentication software is installed and configured for each server," she notes. Requiring software on various user endpoint platforms similarly is problematic due to BYOD trends and the dynamic nature of mobile device use.

Sometimes, organizations might have to implement MFA products from multiple vendors due to the nature of their technology infrastructure — increasing costs and complexity in the process. And in some environments, as with critical servers on industrial OT networks and SCADA environments or certain financial systems, it isn't possible to deploy any MFA software at all, she says.

Related Content:




Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/10/2018 | 9:09:41 AM
Re: Culture > MFA
I agree but I would also note that even with valid credentials some MFA solutions that require both a mobile token and answering a revolving question from a pool of pre-configuered questions could still stop such intrusions.  Additionally, while still young, risk-based authentication (RBA) on top of that could also help weed out bad actors with valid credentials. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
7/9/2018 | 8:10:20 PM
Culture > MFA
While MFA could certainly have prevented or mitigated the damage from these breaches or breaches like these, in my experience these types of breaches tend to have a more fundamental cause beyond a lack of MFA: a lack of a good security culture that led to exploitable weaknesses to begin with.

Case in point here: securitynow.com/author.asp?section_id=613&doc_id=734774
User Rank: Ninja
7/9/2018 | 7:13:05 PM
Improvements in MFA Could Help
Since I don't design solutions, I haven't put too much deep thought into this yet, but over the last year I documented the following statistics and I can see why end users are getting MFA over MFA.  While we are well aware of the need for MFA and similar forms of security, our end users are simply seeing numbers like this and resisting.  Some have the smarts to bypass some MFA (though these days the majority of solutions are too smart to bypass) or simply STOP using some sites as often as they need to or should because of numbers like this.  Call me lazy but even for me, a seasoned techie, this seems like a lot of robot calls answered, lots of texts and browser codes entered.

MFA Contacts over 12 Months

MFA Cell Phone Calls:   2,803

MFA Cell Phone Texts: 1,741

MFA Browser-Delivered Codes: 972

But, let's assume the end user complaints have nothing to do with a company choosing to implement MFA (let's be honest, how many orgs really listen to their end-users anyway). The article notes one reason many companies might be skipping the MFA step in their security plan, which is the need for software on both the server and user endpoints. I was involved in an MFA implementation and it became quite complicated. A software install on the server, followed by embedded web code, and then an end-user desktop install on top of a mobile token app.

Again, not a solutions designer but some improvements in MFA could help get organizations to 100% implementation (despite end-user complaints).

7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.