Social media application Timehop has suffered a data breach exposing personal data of more than 21 million customers.
Timehop is an application for smartphones that collects old photos and posts from Facebook, Instagram, Twitter, and Dropbox photos and distributes the past.
The breach occurred on July 4th, and the company identified the breach when the hackers were extracting the data.
“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.” said in the post published by the company
The breached data includes names, email addresses, and around 4.7 million phone numbers attached to their account.
The company also said that no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected by the breach.
The breach occurred because hackers were able to compromise an access credential to their cloud computing environment which was not protected by two-factor authentication.
The hackers also accessed the authorization token provided by other social media sites which allow hackers to view your social media post without your permission. The company said they have terminated these token and no longer can be used.
“Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.”
Timehop said that they are working with cybersecurity experts, local and federal law enforcement officials to investigate the breach.
The company also said it has taken appropriate measures to improve security such as adding multi-factor authentication on all accounts.