About 21 million users have been affected by the Timehop data breach that happened on July 4. The digital nostalgia app that collects photos from across all social media platforms as well as from Dropbox posted on its website the details of the “security incident.”
While Timehop was able to halt the breach, it admitted that “some data” had already been taken including names, email addresses, and some phone numbers. But the startup company assured the affected users that “none of your “memories” — the social media posts & photos that Timehop stores — were accessed.”
Of the total number of users, 4.7 million or 22 percent have given out their phone numbers to Timehop.
Keys or what is called in the computing world as access tokens have also been compromised. An access token identifies a specific account and its credentials; it is sort of similar to the way your bank uses a routing number and account number to send money.
Timehop points to lax cloud computing services. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts,” the bulletin says.
The attack was detected and halted more than two hours later.
To further appease its users, Timehop said that none of the sensitive financial information had been stolen or even location data or IP addresses. “We don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your ‘Memories’ after you’ve seen them.
The firm reiterates that the tokens cannot be used to access Messenger or Direct Messages on Twitter and Instagram. However, it warned the users that the “there was a short time window during which it was theoretically possible for unauthorized users to access those posts — again, we have no evidence that this actually happened.”
To continue using Timehop, users would need to reauthenticate the app because the company’s security officers have deactivated them to prevent further damage.
The company is still investigating the incident and has hired a cybersecurity response team for its recovery architecture and to find out if the users’ data are now being used for cybercrime. “It has engaged a cyber threat intelligence and dark web research firm to gain intelligence about the attack and, working hand-in-hand with the incident response firm, helping to prevent further attacks.”
Timehop is in communication with local and federal enforcement officials and is providing all requested information to cooperate in all respects with any investigation.
Proactive and intensive collaboration and cooperation with our partners enabled Timehop to quickly assess the broader situation. We continue to monitor any impact with the help of these critical partners.