Access Management Lessons From Timehop’s Cloud Security Breach

Over the past couple of weeks, both Macy’s and Timehop experienced breaches as a result of authentication weaknesses. On July 4, social media startup Timehop experienced a data breach that affected 21 million customers and included information such as names, emails, and phone numbers. According to a preliminary investigation conducted by the Timehop team, the attacker gained unauthorized access to the company’s cloud service provider using stolen administrative credentials back in December 2017. For months, the hacker conducted reconnaissance on the system before launching an attack against the company’s production database on the July 4 holiday.

Unfortunately, credential theft attacks like these happen all too often: According to the 2018 Verizon Data Breach Investigation Report, credential theft was the top cause of data breaches. Attackers can gain privileged access to a system using administrative credentials, remaining undetected (sometimes for months as in the Timehop incident) as they move laterally across a system, conducting reconnaissance, and waiting for the right opportunity to exfiltrate data.

Timehop’s breach is an example of the security risk that employees, both current and former, can pose to any organization that practices poor cloud security hygiene. Given the sheer scope of security incidents involving some form of credential theft, it’s important for IT staff and engineers to understand not only where data is stored but also who is accessing and exporting it.

Businesses issue thousands of credentials to employees and contractors, making it more important than ever for them to improve access management. Not doing so could cause an organization’s most sensitive data to be stolen.

Here are a few tips on where to start.

Generate Temporary Credentials

Sometimes it takes thinking like a hacker to establish the infrastructure security controls it takes to keep them at bay. For example, many hackers have bots that crawl Github and other public repositories for credentials and API keys, using them to either exploit a system and exfiltrate data, or take over parts of the infrastructure for nefarious purposes, such as cryptomining attacks.

It’s a relatively simple mistake to accidentally commit credentials to code, especially if developers are using their credentials to make command line changes in AWS or other cloud service providers. To prevent such mistakes from happening, best practices dictate that you should remove all permanent usernames and passwords from the AWS console.

Instead, implement a secrets management system such as Hashicorp Vault to manage policies and credentials, generating temporary keys so developers can make the command line changes they need to make, and subsequently revoking those credentials when these actions are complete.

Temporary credentials can also be useful when specific members of your security team are on call. For example, privileged access can be granted while the team member is on call, and then revoked when their duty is complete — or rotated to a new team member, as Threat Stack does with our open-source Deputize tool for role-based access control.

Improve Authentication Processes

Cloud security measures such as requiring multi-factor authentication (MFA) may seem obvious, but you would be shocked at how many organizations still lack basic MFA policies. Timehop is just one example, but other high-profile breaches caused by a lack of MFA in the past include Deloitte and JPMorgan. Strengthen your security by requiring that all employees and third-party contractors who access your corporate systems turn on MFA for any and all accounts.

Setting up a centralized authentication and identity management system may also prevent some of these credential theft-based breaches from occurring. Identity management software, such as Okta or OneLogin, can prevent weak passwords from serving as an entry point for attackers. Considering that more than half of all people admit to reusing passwords, an automated system can save them the trouble of having to remember multiple different passwords for their various login accounts.

Finally, make an effort to draw clear lines around privileged access (following the principle of least access). Segment your network into role-based groups depending on which employees need access to specific parts of the cloud infrastructure. Having the right system in place can help improve hiring, onboarding, and ongoing security, so everyone understands what their roles and responsibilities are from the outset. However, be sure to periodically evaluate whether these systems and boundaries need to be improved or changed, especially if they’re preventing people from doing their jobs efficiently.

Final Words . . .

With the right infrastructure security controls in place, your organization can become more proactive about security, preventing a potential credential theft incident from wreaking havoc on your confidential data.

To learn how a cloud configuration audit can help eliminate the risks of a misconfigured AWS account before a breach occurs, book a demo of the Threat Stack Cloud Security Platform®.

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Book Your Demo