Timehop, an app that resurfaces social media posts of the past, suffered a data breach on July 4th, the company revealed on Sunday. The data of 21 million users was stolen, including names, email addresses, and some phone numbers.
The hacker entered Timehop’s cloud computing account, which wasn’t protected by multi-factor authentication, transferred data, and attacked Timehop’s production database. The company said that it noticed the breach two hours after it started and was able to interrupt it, but not before user data was stolen. Users’ private messages, financial data, social media content, and Timehop data were not affected.
The attacker had actually begun accessing Timehop’s cloud computing account through an admin user’s credentials in December 19th last year and created a new admin account. They logged in twice in December, once in March, and once in June to survey Timehop’s cloud data, but didn’t carry out an attack until July 4th.
While users’ personal data haven’t been circulated online yet, Timehop says it’s employed a cyber threat intelligence company that will track whether the email address, phone numbers, and users’ names appear on forums and lists on the internet and the dark web.
Timehop says that the attacker could have also seen social media posts you post to your profile on Facebook, Instagram, and Twitter although there’s no evidence that it happened: “It is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts,” the company said.
While Timehop’s access tokens to social media posts appear not to be have used by the attacker, users have been logged out of the app as a precaution. Timehop says it has shut down the access so you’ll need to reauthorize the app.
In response to the breach, Timehop has added multi-factor authentication to its cloud-based accounts, including Google Photos and Dropbox, increased its monitoring, and informed law enforcement.