You or someone you know might have used Timehop, an app that resurfaces social media posts from years’ past. Well, you better tell those friends of yours to set a new account password, even check in with your telco (if you have a phone number linked to the account), and check for other security measures available to you. The app just revealed it suffered a major data breach on July 4 that gave the hacker access to data of 21 million users, including names, email addresses, and phone numbers (for 4.7 million users).
This wasn’t the first time the hacker/s got into Timehop’s data. It started back in December 19 using an admin’s credentials, which they then used to create a new admin account. The hacker/s then signed in twice in December, once in March, and again in June to take a peek at Timehop’s cloud data.
They accessed Timehop’s cloud computing account (which was not protected by multifactor authentication at that time), transferred the data, and then attacked its production database. Timehop was able to stop the breach two hours after it began but the data has already been stolen. The hacker even gained access to tokens Timehop uses to pull information from social media accounts, which theoretically could be used to view (and scrape) posts that aren’t made public. The company says they deactivated the tokens quickly and there was no evidence that anyone’s information were accessed. (You will need to reauthenticate these tokens if you want to continue using the app.) They also say they already enabled multifactor authentication for its cloud-based accounts, boosted its monitoring, and let law enforcement know. The company is working with a cyber threat intelligence company to monitor if the data appears on forums or lists on the internet and the dark web.
Timehop claims information such as private messages, financial data, social media content, and Timehop data were not affected by the breach.