- Social media nostalgia app Timehop disclosed it was hit by a breach that affected 21 million users.
- Phone numbers, names, and email address were lifted in the breach, and it’s possible malicious actors accessed people’s social accounts too.
- Timehop said the breach happened because it hadn’t taken strong enough security measures on its cloud account.
- Timehop is advising people whose phone numbers were taken to take extra security measures with their mobile providers.
Timehop, an app that resurfaces people’s old social media posts,has admitted that it was hit by a data breach that affected 21 million users.
Alarmingly, the company said data thieves could access Timehop’s “access tokens” which allow its app to show people old social media posts from services such as Facebook and Instagram.
“These tokens could allow a malicious actor to view without permission some of your social media posts,” the company said.
Timehop has terminated the tokens and said there’s no evidence that anyone accessed social media data. But the company also said the breach had started in December, and that it only became aware of the problem in July.
“[It] is important that we tell you that there was a short time window during which it was theoretically possible for unauthorised users to access those posts… we have no evidence that this actually happened,” the company said.
The company said names, email addresses, and some phone numbers for the 21 million users were lifted. Some 4.7 million user accounts had a phone number attached. However, no financial data or private messages were affected.
Timehop also admitted that the breach took place because an “unauthorised user” was able to access its cloud computing account, which wasn’t protected by strong two-factor authentication.
“The breach occurred because an access credential to our cloud computing environment was compromised,” the company said. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”
The company is advising those whose phone number was lifted to take “additional precautions” with their mobile providers.