Timehop, an app that resurfaces your old photos and posts by connecting to your social media profiles, revealed that its cloud computing environment was hacked and the data of 21 million users was stolen on July 4.
The stolen data comprised mostly of user names and email addresses. Of the 21 million compromised user data, the phone numbers linked to 4.7 million accounts were also stolen.
“Tokens” provided by social media profiles to Timehop for gaining access to posts and images were also taken.
With the “access tokens,” hackers could view some of the users’ social media posts without their permission. However, Timehop claims that the tokens were deauthorized and made invalid within a “short time window” and cannot be used to gain access to users’ social media profiles.
Timehop noted that the compromised cloud computing account did not have multi-step verification before the incident – a gross oversight on the company’s part, given that it’s now common practice among firms handling large volumes of user data. Timehop is in cooperation with local and federal law enforcement officials to investigate further on the breach, and to enhance its security upgrades. Following the breach Timehop also reset all its passwords and added a multi factor authentication to all its accounts linked to cloud-based services.
As of now, Timehop claims that there is no evidence of the stolen data being used. With the new GDPR privacy law defining a breach as “likely to result in a risk to the rights and freedoms of the individuals”, Timehop claims to have notified all its European users of the breach, and that it is working closely with European-based GDPR experts to assist in the counter measures.
If you previously signed in to Timehop with your phone number, you’ll want to call your mobile carrier and set up a strong, unique account passcode to protect your account and prevent your number from getting ported, or otherwise tampered with.
Get the TNW newsletter
Get the most important tech news in your inbox each week.