Timehop to Confirm 'Security Incident'

Personal data of 21 000 000 users of popular service is in the hands of attakers
09 July 2018   215

Popular service Timehop, created in 2011, is a kind of "time machine" for users of social networks. It allows to find out what the user or his friends published a few years ago, collecting information from Facebook, Instagram, Twitter and even photos in Dropbox.

Last Sunday, the company reported that on July 4, 2018, Timehop ​​was attacked by unknown intruders, and as a result, data of 21 million people 'leaked'.

Representatives of the company report that they discovered a breach when the hackers were still active and managed to stop the leakage of information, but for many users it was too late. The unknown managed to steal email addresses, names and phone numbers of 21 million users.

In addition, there were compromised "keys that let Timehop read and show you your social media posts (but not private messages)." Developers assure that all keys are already deactivated and no longer work, and users need to re-authenticate in the application.

The official message emphasizes that these tokens do not allow anyone (including Timehop ​​itself) to access Facebook Messenger or personal messages on Twitter or Instagram. Access is granted only to ordinary records. Theoretically, during the incident there was a short period of time during which unauthorized users could access such records of the victims. However, there is no proof that this really happened yet.

Almost no technical details about the incident have yet been reported, as the company continues its internal audit and investigation, involving local and federal law enforcement agencies, as well as third-party cybercriminals.

Representatives of Timehop ​​recognize that the attackers managed to get into the system because of compromising credentials for one of the "cloud" accounts. The fact is that the account was not protected by multifactor authentication, and only now the company decided to attend to additional protection of authorization and access control.

Git LFS 2.5.0 to be Available

It replaces large files with text links, and their contents are stored on GitHub Enterprise servers
31 July 2018   148

The GitHub developers have updated the Git LFS extension. It replaces large files with text links, and their contents are stored on GitHub Enterprise servers. The new version fixes bugs and added new features to the old commands. 

New migration options

The git lfs migrate command received several new functions.

  • Fixing the inability to save in the repository using Git LFS. If the file is larger than 100 MB, it does not move to GitHub and the history requires rewriting with the git lfs migrate import command. If the file is less than 100 MB, the git lfs migrate import --no-rewrite command will move the file using the extension, fixing the changes in the repository.
  • Correcting the error of storing files with the extension LFS. For example, you need to store images * .png with LFS, and the file is added without using it. git lfs migrate import --fixup helps to fix the error. The--fixup flag reads the condition in the .gitattributes file and automatically converts the objects for storage using Git LFS. In the example below, the mona.png file is added without Git LFS:
$ cat .gitattributes
*.png filter=lfs diff=lfs merge=lfs -text

$ git cat-file -p :mona.png | file -s
/dev/stdin: PNG image data, 896 x 896, 8-bit/color RGBA, non-interlaced

You can fix it this way:

$ git lfs migrate import --fixup
migrate: Fetching remote refs: ..., done
migrate: Sorting commits: ..., done
migrate: Rewriting commits: 100% (2/2), done
  master        1002728154804338fe645976ad8b7258b0be0810 -> 076e2bfe114df5575b1130f694c18d1b26c86b86
migrate: Updating refs: ..., done
migrate: checkout: ..., done

$ git cat-file -p :mona.png
version https://git-lfs.github.com/spec/v1
oid sha256:49afbfc61b10df78377f8f7dac774158e1a0197740e160ea3572d9839c61ac04
size 106277

Now mona.png is in the repository using the LFS repository.

To stop working with the expansion and export of large objects, it is enough to type git lfs migrate export. The command accepts the same arguments asgit lfs migrate import, moving files from the extension.

Other changes

Modified scripts and programs that can be used to design as "crutches." Now the testing software package outputs the results in TAP format and is started by the prove command. And the assembly of the project can be done thanks to Makefile, the familiar Git users.

In addition, the fixes and improvements to support for alternative objects, as well as the output of results from subdirectories by the git lfs status command.