Timehop, an app that resurfaces old social media posts for users, revealed that it suffered a security incident that affects 21 million of its customers. This Timehop data breach took place on the Fourth of July, and after discovering and assessing the extent of the issue, the company has revealed details about what happened.
Timehop has detailed the circumstances of its recent data breach in a post on its website. The company learned of the breach as it was happening, at which point engineers were able to disrupt the attack. However, information was still stolen, including the names and email addresses of users. Phone numbers of approximately 4.7 million users were also breached.
No “memories”—social media posts stored by Timehop—were accessed. No private or direct messages were accessed either. Keys that the app uses to show social media posts were compromised, so Timehop deactivated them. If you’re a Timehop user, you’ll need to re-authenticate the app for posts to show up again. (As a security precaution, Timehop also automatically logged all users out of their accounts in order to reset security keys.)
The breach happened when “an access credential to [Timehop’s] cloud computing environment was compromised.” That particular account wasn’t protected by multi-factor authentication; it, and other accounts are now.
According to Timehop, the “damage was limited” since the app only stores the data it absolutely needs in order for the service to run. It doesn’t store credit card or financial data, IP addresses, location data, or any copies of your social media account information. Clearly, if Timehop had been more careless with its security—or more zealous in what data it stored—this data breach could have been far worse.
Security breaches are increasingly becoming not an if, but a when in our digital age. It’s nice to see that, in the case of Timehop, it was able to act swiftly to mitigate its losses, and that it is being transparent with users about exactly what happened and what they need to do to ensure their data remains secure.
Update 12:01pm CT, July 13: In an updated assessment of its data breach shared on July 10, Timehop revealed that additional user information was accessed. This includes gender, date of birth, and country codes for some—but not all—compromised user accounts. A complete breakdown of the number and type of breached user records is available here.