CALIFORNIA, U.S. - In yet another massive data breach, an app that reminds social media users about posts from their past, Timehop has disclosed that it suffered a breach that exposed 21 million users.
More shockingly, the app revealed that 4.7 million of the users who had their data stolen, also had a phone number attacked to their accounts - which was now compromised by the breach.
According to Timehope, which made the public disclosure about the data breach in a blog post, the major breach took place on July 4.
The company revealed that 21 million users had some form of personal data stolen and that attackers were also able to retrieve access tokens that would have enabled them to view users’ posts on Facebook, Instagram, Twitter, and Foursquare.
In its blog post, Timehop described the breach that occurred at 2:04 PM on Independence Day and said that its cloud servers were not protected by multi-factor authentication, a security protocol that should be considered a default for any company.
It revealed that hackers had access to the Timehop system for a little over two hours.
Further, in its public declaration of the breach, the company is said to have published a detailed timeline of its response.
Experts pointed out that the fact that intruders were able to take control of the access tokens Timehop uses to pull information from social media accounts was more dangerous.
Theoretically, those tokens could be used to view (and scrape) social media posts that aren’t made public.
However, Timehop has argued that it deactivated the tokens quickly and there’s no evidence that anyone’s accounts were accessed.
Timehop further pointed out in its technical report that an unauthorized user first accessed its cloud computing provider on December 19, 2017, to conduct reconnaissance.
It noted in its report that on this was done on four other occasions without being detected.
Further, the organization noted that it enlisted the services of an outside cybersecurity incident response company to conduct an audit of its system, contacted law enforcement, and is working with its social media partners to continue monitoring for further breaches.
It said, “No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.”