Social media app Timehop has suffered a data breach. The company announced the personal details of approximately 21 million users were stolen from their servers.
The service, which integrates with a user’s social media accounts to call up photos and memories, became aware of the attack as it was occurring in the early morning hours of July 4.
We commit to transparency about this incident, and this document is part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again
- Some data was breached. These include names, email addresses, and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
- To reiterate: none of your “memories” – the social media posts & photos that Timehop stores – were accessed.
- Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. We have deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.
- If you have noticed any content not loading, it is because Timehop deactivated these proactively.
- We have no evidence that any accounts were accessed without authorization.
- We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.
- You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.
- The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or (with respect to advertising) IP addresses (but we do log IP addresses for network audit purposes as described in our Terms of Service) ; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your “Memories” after you’ve seen them.
Hackers were able to grab the names and email addresses of 21 million users and the phone numbers of 4.7 million users before the attack was shut down. The company says no messages, financial data, social media, photo content, or Timehop data were stolen.
Unfortunately, the keys that enable the service to read and send social media content to users were compromised, and Timehop has deactivated the keys as a security measure. This means users will need to re-enable Timehop’s access to their accounts if they wish to continue using the social media service.
Timehop suggests that users who used a phone number for login to the service take additional security measures to protect their number.
If you used a phone number for login, then Timehop would have had your phone number. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.
If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.
If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.
For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.