Timehop breach loses data of 21 million users

Timehop, an application for smartphones that collects old photos and posts from Facebook, Instagram, Twitter and Dropbox has admitted to losing the data of its entire user base which includes 21 million members on the 4 July 2018.

“With so many people using Timehop – demonstrated by today’s news that more than 21 million people have been affected by this breach – it is no surprise that the network has become a target for cybercriminals,” said David Emm, Principal Security Researcher at Kaspersky Lab.

Stolen usernames and email addresses

Of the 21 million users, the data stolen was usernames and email addresses, while 4.7 million users also had their phone numbers stolen.

“The news that cybercriminals could have access to people’s posts across other social media channels, as well as those posted on Timehop, could distress members who share personal information across these channels. Customers also need to bear in mind that anything that’s been shared with a third-party could end up in the public domain,” added Emm.

Timehop revealed that its compromised cloud account was not verified before the incident and that it’s in cooperation with federal law enforcement officials to investigate the breach further and to help enhance security upgrades.

Entrusted data

Emm continued: “The company has reported that the breach occurred when an access credential to its cloud computing environment was compromised and this account was not protecting using multi-factor authentication. With the number of data breaches rising, it’s clear that breaches are not a matter of ‘if’ but ‘when’.

“Timehop – along with all other online providers – has a responsibility to look after the data that’s been entrusted to it by its members. This includes the use of two-factor authentication to reduce the risk of accounts being compromised.”

Timhop also noted that “there was a short time window during which it was theoretically possible for unauthorised users to access those posts” although it has “no evidence that this actually happened.”

Written by Leah Alger