Timehop confirmed that a data breach affected certain pieces of personal information belonging to 21 million of its users.
According to a statement posted on its website, the service that distributes social media memories to its members detected a network intrusion in the afternoon of 4 July. Timehop learned that those responsible for the incident had exploited a cloud computing environment access credential to gain access to the personal information of 21 million users, or about 22 percent of its active user base. Those compromised bits of data included names, email addresses and phone numbers along with access tokens that could have allowed attackers to view members’ social media posts.
The company hadn’t found evidence of such misuse at the time of publication. As quoted in its notice:
We have no evidence that the data has been used. All the access keys have been de-authorized and cannot be used. Timehop has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.
Upon learning of the incident, engineers locked out the attackers from Timehop’s systems within three hours. They also implemented multi-factor authentication (MFA) to help secure its authorization and access controls for its accounts. At the same time, it deauthorized any social media access tokens that bad actors might have compromised.
The service is currently in contact with an incident response firm, digital intelligence experts, its cloud computing provider and law enforcement personnel about the incident.
At this time, it’s unclear what this event will mean for Timehop under GDPR. The company did state that it notified EU users as quickly as possible and is working with “European-based GDPR specialists” to understand the implications. In the meantime, it’s requiring all users re-authenticate each of the services they use with Timehop. The service is also asking users to protect their phone numbers so that attackers can’t port them and in turn compromise people’s web accounts.