Timehop admits that additional personal data was compromised in breach

Timehop is admitting that additional personal information was compromised in a data breach on July 4.

The company first acknowledged the breach on Sunday, saying that users’ names, email addresses and phone numbers had been compromised. Today it said it that additional information, including date of birth and gender, was also taken.

To understand what happened, and what Timehop is doing to fix things, I spoke to CEO Matt Raoul, COO Rick Webb and the security consultant that the company hired to manage its response. (The security consultant agreed to be interviewed on-the-record on the condition that they not be named.)

To be clear, Timehop isn’t saying that there was a separate breach of its data. Instead, the team has discovered that more data was taken in the already-announced incident.

Why didn’t they figure that out sooner? In an updated version of its report (which was also emailed to customers), the company put it simply: “Because we messed up.” It goes on:

In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything. With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed. This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon as it became available.

In both the email and my interviews, the Timehop team noted that the service does not have any financial information from users, nor does it perform the kinds of detailed behavioral tracking that you might expect from an ad-supported service. The team also emphasized that users’ “memories” — namely, the older social media posts that people use Timehop to rediscover — were not compromised.

How can they be sure, particularly since some of the compromised data was overlooked in the initial announcement? Well, the breach affected one specific database, while the memories are stored separately.

“That stuff is what we cared about, that stuff was protected,” Webb said. The challenge is, “We have to make a mental note to think about everything else.”

Timehop team

The breach occurred when someone accessed a database in Timehop’s cloud infrastructure that was not protected by two-factor authentication, though Raoul insisted that the company was already using two-factor quite broadly — it’s just that this “fell through the cracks.”

It’s also worth noting that while 21 million accounts were affected, Timehop had varying amounts of data about different users. For example, it says that 18.6 million email addresses were compromised (down from the “up to 21 million” addresses first reported), compared to 15.5 million dates of birth. In total, the company says 3.3 million records were compromised that included names, email addresses, phone numbers and DOBs.

None of those things may seem terribly sensitive (anyone with a copy of my business card and access to Google could probably get that information about me), but the security consultant acknowledged that in the “very, very small percentage” of cases where the records included full names, email addresses, phone numbers and DOBs, “identity theft becomes more likely,” and he suggested that users take standard steps to protect themselves, including password-protecting their phones.

Meanwhile, the company says that it worked with the social media platforms to detect activity that used the compromised authorization tokens, and it has not found anything suspicious. At this point, all of the tokens have been deauthorized (requiring users to re-authorize all of their accounts), so it shouldn’t be an ongoing issue.

As for other steps Timehop is taking to prevent future breaches, the security consultant told me the company is already in the process of ensuring that two-factor authentication is adopted across the board and encrypting its databases, as well as improving the process of deploying code to address security issues.

In addition, the company has shared the IP addresses used in the attack with law enforcement, and it will be sharing its “indicators of compromise” with partners in the security community.

Timehop screenshot

Everyone acknowledged that Timehop made real mistakes, both in its security and in the initial communication with customers. (As the consultant put it, “They made a schoolboy mistake by not doing two-factor authentication.”) However, they also suggested that their response was guided, in part, by the accelerated disclosure timeline required by Europe’s GDPR regulations.

The security consultant told me, “We haven’t had the time to do the fine-toothed comb kinds of things we normally want to do,” like an in-depth forensic analysis. Those things will happen, he said — but thanks to GDPR, the company needed to make the announcement before it had all the information.

And overall, the consultant said he’s been impressed by Timehop’s response.

“I think it really says a lot to their integrity that they decided to go fully public the second they knew it was a breach,” he said. “I want to point out these guys responded within 24 hours with a full-on incident response and secured their environments. That’s better than so many companies.”

Summer road trip tech essentials and extras

Editor’s note: This post was done in partnership with Wirecutter. When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and TechCrunch may earn affiliate commissions.

Gearing up for a pleasant road trip entails more than picking an exciting destination. The mode of transportation, and what you’re able to do while traveling, sometimes makes or breaks hours spent on the road.

Whether you’re taking an older car on a short solo excursion, or piling in with family and friends for a cross-country drive, your road trip gear and setup can add to the experience. We’ve gathered some of our favorite picks that cover the basics.

iPad Headrest Mount: Arkon Center Extension Car Headrest Tablet Mount

If getting comfortable in a backseat and watching a movie sounds like an ideal way to pass time, do so with the help of a tablet mount. The Arkon Center Extension Car Headrest Tablet Mount securely holds iPads and most 9- to 12-inch tablets.

It attaches to the metal rods of the front seat headrest and its holster is attached to an extendable arm that can be positioned so one or multiple backseat passengers can get a clear view.

Photo: Rik Paul

Car GPS: Garmin DriveSmart 51 LMT-S

Before the wheels start rolling, knowing where you’re going and how to get there is likely the first order of business. Using a standalone car GPS means your smartphone doesn’t have to be held hostage and you don’t have to rely on a live data connection.

The Garmin DriveSmart 51 LMT-S has maps and a database with points of interest built in so that navigation — even off of the beaten path — is straightforward. It works via Bluetooth, can display alerts or searches from a smartphone and its maps are updated over Wi-Fi. During testing, its voice-control system was the simplest to use and its audible directions were the most precise.

You’ll like that its 5-inch touchscreen displays easy-to-follow lanes and road signs, along with nearby stops and speed limits.

Bluetooth Kit: Anker SoundSync Drive

There’s no fun in a road trip that doesn’t include your favorite podcasts and music playlists. Older cars without built-in Bluetooth pose a problem when it comes to streaming curated entertainment from a smartphone.

Bypass installing a new stereo system and use an inexpensive Bluetooth kit instead. We recommend the Anker SoundSync Drive for cars with an aux-in port as well as other options for different setups. The SoundSync Drive will allow you to listen to music and makes hands-free calls.

It offers high-quality audio that’s on par and better than competitors we tested, and it has convenient track-control buttons. Keep it powered by plugging its USB-A charging cable into any car charger or USB power source.

Photo: Michael Hession

Car Mount: iOttie Easy One Touch 4 Air Vent Mount

For a car mount that won’t get in the way of other devices that have to be placed on a windshield or dashboard, we recommend the iOttie Easy One Touch 4 Air Vent Mount. It fits into an air vent and its grip — which is secured by long rubber-lined arms and a spring-loaded clamp — places it above similar models.

Its cradle holds firm, it can be placed on vents of all thicknesses and it’s easy to position. The Easy One Touch 4 Air Vent Mount’s build makes it easy to access and it works against weighing down vent slats.

Photo: Nick Guy 

USB Car Charger: RAVPower RP-VC006

The RAVPower RP-VC006 USB car charger is small but packs a punch (up to 2.4 amps) with two USB ports for powering smartphones or tablets. It isn’t difficult to insert or remove, and when it’s dark outside, its LED and white ports make it easy to locate.

We like that it’s compact and doesn’t stick out too far. The RAVPower RP-VC006 plugs into a 12-volt power jack and it’s capable of charging two devices — simultaneously and in little to no time. It comes with a lifetime warranty, and if you’re concerned about misplacing it or running out of juice, it’s cheap enough to buy a few.

This guide may have been updated by Wirecutter.

When readers choose to buy Wirecutter’s independently chosen editorial picks, Wirecutter and Engadget may earn affiliate commissions.

You can now stream to your Sonos devices via AirPlay 2

Newer Sonos devices and “rooms” now appear as AirPlay 2-compatible devices, allowing you to stream audio to them via Apple devices. The solution is a long time coming for Sonos which promised AirPlay 2 support in October.

You can stream to Sonos One, Sonos Beam, Playbase, and Play:5 speakers and ask Siri to play music on various speakers (“Hey Siri, play some hip-hop in the kitchen.”) The feature should roll out to current speakers today.

I tried a beta version and it worked as advertised. A set of speakers including a Beam and a Sub in my family room showed up as a single speaker and a Sonos One in the kitchen showed up as another. I was able to stream music and podcasts to either one.

Given the ease with which you can now stream to nearly every device from every device it’s clear that whole-home audio is progressing rapidly. As we noted before Sonos is facing tough competition but little tricks like this one help it stay in the race.

Pinterest is adding a way for users to collaborate on boards

Pinterest is trying to further tap its popularity as a place to plan events, this time adding ways for users to collaborate across boards that are baked directly into the app.

Group boards will have their own designated feed, where users will be able to communicate with others collaborating on that board and also get updates on new member additions or added pins. There are also the other typical social structures you’d expect on an app these days, including @-mentions or liking comments. It’s another step to get people onto Pinterest and sticking around as they look to plan events, and create more ways to make the platform more and more sticky. It’s also another quality-of-life improvement that Pinterest seems to have needed for quite some time.

It’s those kinds of events — weddings, parties and others — that propelled Pinterest initially to become one of the larger social networks in the early 2010s. The company late last year said it had more than 200 million monthly active users, which while small compared to the likes of Instagram or Facebook, serves as a hub for a different kind of user behavior than you might find on those other platforms. The majority of the content on Pinterest is high-resolution products from businesses, where people will search for or save those products as they look to plan future life events.

Pinterest has tried to position itself as one of the best ways to discover new ideas, whether that’s stumbling upon something in a primary feed or finding something through searching. Over time, it’s added more and more tools to try to get people to come back more regularly, and if it continues to improve those recommendation engines, it can continue to run that feedback loop and keep users more and more attached to the platform. Adding a sort of light social pressure from friends that are sharing ideas and looking for feedback is one way to do that, in addition to it generally being useful.

All that is good for its pitch to advertisers as well. Pinterest, in addition to trying to cater to that unique kind of user behavior, is also trying to sell itself to advertisers as a platform where they can reach potential customers through ways they wouldn’t be able to with primary advertising channels like Facebook or Google. By making the platform more sticky, it can go back to those advertisers and offer them better engagement metrics and show that users stick around and are paying closer attention to content on Pinterest, which can in turn drive that additional value to advertisers.

Next Insurance, an insurtech targeting small businesses, scores $83M Series B led by Redpoint

Next Insurance, the Israeli digital insurance startup that helps small businesses get coverage, has raised a significant new funding round, adding another $83 million to its balance sheet.

The Series B round is led by Silicon Valley’s Redpoint Ventures, and will be used by the company to continue expanding across the U.S., where it now operates as a full service insurance carrier. It will also increase headcount in both its Israel and U.S. offices.

Founded in 2016 with the aim of becoming a one-stop insurance shop for micro and small business insurance needs, Next Insurance designs insurance plans for business sectors that are often overlooked by more general insurers.

Small business owners often rely on price comparison websites to figure out what kind of coverage they need and where to buy it, though that means the plans they get don’t always cover all their needs. The other option is to use a broker but that also adds another middle person.

“The complexity of the small business insurance market is very significant and this leads to a situation where even the largest insurance providers own less than 10 percent of the small business market,” founder and CEO Guy Goldstein told TechCrunch when the company raised its Series A. “This offers us huge growth potential as we aim to specialize in and become a market leader in each small business vertical”.

The small business sectors where Next Insurance offers general and professional liability insurance currently includes contractors, fitness, cleaning, beauty, therapy, entertainment, and education. It lets you buy insurance instantly at what it claims is very competitive prices and with no hidden fees. In addition, now that Next Insurance is a licensed carrier, it is able to write policies independently, with what it says is more freedom over underwriting, setting prices, and configuring policies.

Moving forward, the company plans on adding further lines of insurance, on-demand coverage, and ensuring that claims are paid within 48 hours. It is also hoping to develop more sophisticated uses of AI and machine learning to improve the customer experience and streamline the insurance purchasing process.

To that end, Goldstein says Next Insurance’s Series B is a “monumental turning point” in the company’s history, describing growth over the last two years as exponential. Hyperbole aside, the company does appear to have found market fit, as evidenced by the size of the round and how many previous backers followed on.

The Series B Round brings Next Insurance’s total funding to $131 Million in just two years. Other investors that participated in this round include Nationwide Insurance, Munich Re, American Express Ventures, Ribbit Capital, TLV Ventures, and Zeev Ventures. Elliot Geidt, Managing Director of Redpoint Ventures, will join the board of Next Insurance.

More broadly, the insurtech space is rapidly heating up in recognition that the insurance sector, both consumer and B2B, is still yet to be fully digitised, especially in a mobile-first world. In the U.S., consumer home insurance app Lemonade has been grabbing most of the headlines, not least after it raised $120 million in a round led by Softbank.

“Gone are the days of complicated, unreadable policies, exclusions that leave entrepreneurs vulnerable, and endless meetings and phone calls with insurance agents who don’t understand the nuances and needs of different classes of business,” adds Goldstein in a statement. “Small businesses are the backbone of the U.S. economy, and they deserve insurance policies that are simple to access, affordable to own, and which provide them the support and confidence they need to thrive”.