Timehop has suffered a major breach, with its database of 21 million users being affected. Information such as names, email addresses and phone numbers were included.

The service, which links users’ social media profiles to the app so they can look through old photos and ‘memories’, had its cloud computing environment breached on 4th July.

This, the company says, was because the cloud account had ‘not been protected by multifactor authentication.’ Timehop says it has now introduced this feature, though many will question why this was not in place already, given its ubiquity in the industry.

Timehop says that though names, email addresses and phone numbers were breached, no information like financial data, private messages, or social media and photo content were breached.

Timehop – the damage

According to Timehop, just under 22% of the breached users, or around 4.7 million accounts, had a phone number attached to them. It says that a ‘small number’ of records had a name, phone number and email address, with a larger number having a name and phone number, and a larger number still having a name and email address.

Another major issue for the app is the breach of ‘access tokens.’ These tokens allow Timehop to access social media posts, and are provided by social media companies.

Though Timehop says that these tokens were quickly deactivated, it also says that there was a ‘short time window during which it was theoretically possible for unauthorized users to access those posts.’ The tokens do not allow access to private messages or posts made by others onto a user’s profile. Timehop also says that there is no evidence the tokens were used to access profiles.

Timehop users have had to log back into the app, and users that had a phone number connected to the account have been advised to contact their provider.

The company says it has taken the usual steps following a breach, including an initial audit as well as an ongoing, more thorough audit.

It is also employing a ‘well-established and experienced cyber security incident response firm to lead the response, understand any exposure or potential exposure of customer data, ensure that no follow-on attacks are in progress, and create a recovery architecture.’ Finally, it has been in touch with law enforcement officials and its cloud provider.