Timehop breached due to lack of 2FA, 21 million users hit

Timehop on mobile

Timehop on mobile

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users (essentially its entire user base).

Timehop, an app that resurfaces people's old social media posts, has admitted that it was hit by a data breach that affected 21 million users. The company said a hacker gained access to its infrastructure and stole details on its users that included usernames, emails, telephone numbers, and access keys.

On July 4, Timehop discovered a network intrusion in process.

Timehop noted that none of its "memories" (the social media posts and photos the app stores) were accessed.

Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done.

TimeHop, an add-on for Facebook which reminds users of all the things that happened to them in the past, remains hugely popular despite Facebook itself now offering similar functionality within the main interface. "In general, Timehop only has access to social media posts you post yourself to your profile", it adds. We immediately began actions to deauthorize compromised access tokens, and. worked with our partners to determine whether any of the keys have been used.

The security breach was possible because an access credential to Timehop's cloud computing environment hadn't been protected by multifactor authentication, but the company says it is now.

"We have now taken steps that include multifactor authentication to secure our authorisation and access controls on all accounts", the blog post said.


But the company also said the breach had started in December, and that it only became aware of the problem in July. So evidently there was more than one vulnerable account for attackers to target. Since the creation of that account it was used four times for what Timehop calls "reconnaissance activities".

There is no such thing as ideal when it comes to cyber security but we are committed to protecting user data. Which does have a distinct "stable door being locked after the horse has bolted" feel to it.

Not all users were affected to the same extent.

Twitter had no comment on the breach.

Despite this, the company says it has no evidence that "any accounts were accessed without authorization".

We've reached out to the company with questions and will update this post with any response.

As a result, Timehop says users may have been logged out of the app to reset all of the keys. "[It] took some time to get our send grid account ready for that many emails as we are not a big email sender in general". Furthermore, the company says it's communicating with local and federal law enforcement officials while working through everything. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.

The company said it has notified all European Union users in accordance with the new General Data Protection Regulation, or GDPR.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.