Timehop, a popular application that reclaims old photos and posts by syncing to social media profiles has revealed a data breach of its cloud computing environment on July 4, compromising the data of 21 million users.
According to a public disclosure, Timehop claims that the data compromised were mostly restricted to usernames and email passwords. However, 4.7 million of the 21 million accounts also had their linked phone numbers also stolen.
The breach occurred at 2:04 Eastern Time on the afternoon of the 4th of July. The network intrusion compromised an access credential within the company’s cloud computing environment, which wasn’t protected by multifactor authentication. “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts,” the company said.
Timehop works by using ‘tokens’ provided by social media platforms to access posts and images. However, these ‘access tokens’ were also taken by malicious hackers, plausibly allowing them to gain access to users’ posts and images directly. For its part, Timehop claims that the stolen tokens were – within a “short time window” – rendered invalid and deauthorized.
Stating its intention to “commit to transparency” about the security breach, Timehop said:
Some data was breached. These include names, email addresses, and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
The service also said it is working with incident response professionals and security experts as well as both local and federal law enforcement agencies to investigate the matter. Further, the company reset all keys due to an “abundance of caution” to log out all users from their app.
Image credit: Pexels.