Timehop Discloses Data Breach That Impacts 21M Users

Timehop, the mobile app that gathers photos from social media, disclosed on Monday (July 9) that it was the subject of a data breach.

In a blog post, the company said that on July 4 it experienced a network intrusion that led to a breach of some of its customers’ data. It said the incident affected approximately 21 million of its users, but that no private/direct messages, financial data or social media or photo content was impacted.

“We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken,” wrote Timehop. “While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.”

The data that was breached includes names, email addresses and some of its customers’ phone numbers. “To reiterate: none of your ‘memories’ – the social media posts and photos that Timehop stores – were accessed,” the company noted.

Timehop did share that certain keys, which allow the app to read and display customers’ social media posts, were also compromised; the company subsequently deactivated the keys so they can no longer be used. As a result, users will have to re-authenticate to the Timehop app.

Timehop said that because they only use the data needed to provide the service, damage from the breach was limited. The company said that it never stores credit card data or financial information, location data or IP addresses. What’s more, Timehop said it doesn’t store copies of social media profiles, and deletes its copies of “Memories” after customers have seen them.

According to Timehop’s timeline, a network intrusion happened at 2:04 p.m. EST, when an access credential to its cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication, Timehop said in the blog, noting that it has taken steps (including multifactor authentication) to secure authorization and access controls on all accounts. Two hours and 19 minutes later, the company said its engineers had locked out the attackers.

“While we investigate, we want to stress two things: First, to date, there has been no evidence of, and no confirmed reports of any unauthorized access of user data through the use of these access tokens,” noted the blog post. “Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or direct messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.”

The company said it has conducted an initial audit and is a conducting a deeper dive of all accounts, credentials and permissions granted to users. It has also tapped an outside cybersecurity firm to look into the incident and the response, and to gain an understanding of any exposure or potential exposure of customers’ data to ensure that there are no follow-up attacks in progress.