• The stolen data included usernames, email addresses, access tokens and, in some cases, phone numbers.
  • The hack took place on July 4 after a hacker gained access to a cloud computing account that was not secured with multi-step verification.

Timehop, a popular mobile app that resurfaces old photos and posts from social media profiles that one may have forgotten about, has announced a data breach that compromised the personal data of over 21 million users - essentially its entire user base.

The network intrusion was discovered at about 2:04PM EST while the attack was still in progress. Although the company said it was able to stop the breach within hours, data was stolen in the process.

The stolen data comprised mostly of usernames and email addresses. About 4.7 million accounts that had phone numbers linked to them were also exposed. The company noted that no private or direct messages, financial data, social media or photo content, or Timehop data such as streaks were impacted in the breach.

“To reiterate: none of your 'memories' - the social media posts & photos that Timehop stores - were accessed,” the company said in a statement.

However, authorization tokens or keys for all 21 million users, that allow Timehop to gain access to various social media accounts from where the service pulls older social media posts and images, were also stolen in the data breach.

However, the firm claims that the tokens were deactivated to prevent hackers from gaining access to users’ social media profiles such as Facebook, Facebook Messenger, Twitter or Instagram.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall,” Timehop said. “In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts - again, we have no evidence that this actually happened.”

Timehop said there is currently no evidence to suggest that any accounts were accessed without authorization. The company further noted that they are working closely with local and federal law enforcement officials to investigate the incident and enhance their security structure.

“We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.”

The company has since forced a password reset for all users and added multi-factor authentication to all its accounts linked to all of its cloud server accounts. Timehop admitted that the account login process on the compromised cloud server was not protected by multi-factor authentication prior to the breach.

With the new stringent GDPR regulations in place, Timehop said it has notified its European users and is assisting European-based GDPR experts in providing counter measures.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service,” the company said. “We commit to transparency about this incident."

It added that its disclosure about the breach is part of "providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again.”

Cyware Publisher