Timehop, a mobile app that surfaces old social media posts from the same day but from previous years, has announced a security breach affecting its entire userbase of over 21 million users.
Not all users were affected to the same extent. The company said a hacker gained access to its infrastructure and stole details on its users that included usernames, emails, telephone numbers, and access keys.
Timehop says that not all users had an email address or phone number attached to their account. Only 22% of its 21 million userbase —roughly 4.7 million users— had a phone number attached to their account. Further, not all usernames contained users’ real names.
Nonetheless, the hacker stole the access keys for all 21 million users. These access keys link the Timehop account to various social media accounts from where Timehop pulls older social media posts and images.
Timehop says it de-authenticated all accounts so the hacker won’t be able to use any of these access keys to retrieve data from its users' third-party social media account, such as Facebook, Facebook Messenger, Twitter, or Instagram.
"To reiterate: none of your 'memories' - the social media posts & photos that Timehop stores - were accessed," Timehop said in a statement. "We have no evidence that any accounts were accessed without authorization."
The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure.
According to preliminary evidence from the investigation, the intrusion took place on December 19, 2017, when a hacker gained access to an admin account for Timehop’s cloud infrastructure. Timehop says it failed to secure that account with multi-factor authentication, making the attack possible.
The hacker logged into this account on four separate days in December 2017 and March and June 2018, during which it carried out reconnaissance operations.
The intrusion went undetected until July 4, when the intruder started exfiltrating the company’s database. Timehop says it detected the operation and cut off the hacker’s access two hours and nineteen minutes later.
The company said it now secured all accounts with multi-factor authentication to prevent further intrusions., and is putting other security measures in place.
UPDATE [July 10]: As promised, Timehop has updated its breach investigation page, and has updated the incident timeline and published additional extensive details about what the hacker gained access to.
|Type of Personal Data Combination||# of Breached Records||# of Breached GDPR Records|
|Name, email, phone, DOB||3.3 million||174,000|
|Name, email address, phone||3.4 million||181,000|
|Name, email address, DOB||13.6 million||2.2 million|
|Name, phone number, DOB||3.6 million||189,000|
|Name and email address||18.6 million||2.9 million|
|Name and phone number||3.7 million||198,000|
|Name and DOB||14.8 million||2.5 million|
|Name total||20.4 million||3.8 million|
|DOB total||15.5 million||2.6 million|
|Email addresses total||18.6 million||2.9 million|
|Gender designation total||9.2 million||2.6 million|
|Phone numbers total||4.9 million||243,000|