Popular nostalgia app Timehop reveals that the data of millions of users has been stolen.
The Timehop platform is widely used online to surface past social media content, providing users with memories of days gone by, but it looks like its cloud environment was less than 100pc secure.
According to a statement from the company, the data from 21m users was stolen on 4 July following a security incident.
A long-game attack
An authorised administrator’s credentials were used by an unauthorised individual to log into the company’s cloud provider in December 2017, and they began to conduct reconnaissance activities within the cloud environment on a couple of occasions before the July attack.
The bulk of the stolen information consisted of usernames and email addresses, but 4.7m phone numbers were also nabbed in the process. Tokens provided by social media platforms to Timehop that allowed the app to access images and posts were also stolen.
No social media posts or private messages were stolen and the access tokens taken were deactivated by Timehop so nobody can use them again. Users will need to reauthenticate the app to use it once more. As a precaution, the company also logged all of its users out of the app.
No multifactor authentication
According to Timehop, the cloud computing account that was compromised was not equipped with multifactor authentication before the breach occurred, which is surprising considering the large volumes of data handled by the company.
The company said: “Once we recognised that there had been a data security incident, Timehop’s CEO and COO contacted the board of directors and company technical advisers; informed federal law enforcement officials; and retained the services of a cybersecurity incident response company, a cybersecurity threat intelligence company and a crisis communications company.”
Timehop working under GDPR
At the time of writing, Timehop says there is no evidence that the stolen information has been used. The company has also notified all of its EU users of the breach under the new GDPR privacy measures, and is working with European experts to ensure mitigation procedures are in place.
If you signed up to Timehop with your phone number previously, you should contact your network provider and ensure your account is protected with a strong password.
The incident shows the importance of multifactor authentication, both for users and for corporations, in safeguarding customer data.