Timehop’s data breach compromised 21 million accounts
- Timehop disclosed a data breach that affected 21 million accounts.
- Compromised data includes names, email addresses, and phone numbers.
- Timehop users are urged to change their passwords and contact their carriers.
Timehop, which resurfaces photos and posts from social media accounts, suffered a data breach July 4 that affected 21 million accounts. Compromised data includes names, email addresses, and 4.7 million phone numbers.
According to Timehop, the attacker accessed the app’s cloud computing account with an administrator’s sign-in credentials December 19 of last year. The attacker then created a new account and logged in four times: twice in December, once in March, and once in June.
They did not carry out the attack until July 4, when the attacker transferred the compromised data and attacked Timehop’s production database. Timehop interrupted the attacker two hours after it noticed the breach, but user data was already stolen by then.
Timehop stressed that private messages, financial data, social media content, and Timehop data were compromised. Even though the attacker could have seen what you post on Facebook, Instagram, and Twitter, there is no evidence that it happened.
Timehop also stressed that the attacker likely did not use its access tokens to social media posts. Timehop nonetheless shut down access to those access tokens as a precaution. You must reauthorize the app, however.
In response to the breach, cloud-based accounts like Google Photos and Dropbox now have multi-factor authentication. The app also notified its users in the European Union, just in case the breach might have implications under the new GDPR privacy law.
Timehop also informed law enforcement and employed a cyber threat intelligence company to monitor whether users’ email addresses, phone numbers, and names pop up in forums and lists on the internet.
If you are a Timehop user, contact your carrier to make sure your number cannot be ported. AT&T, Verizon, and Sprint subscribers can add a PIN to their accounts, while T-Mobile subscribers must call customer service and ask for help to limit phone number portability.
You should also update your email account’s password and use two-factor authentication as extra precautions.