A massive data breach on Timehop has exposed the private details of more than 21 million users.
The service links to users’ social media accounts to resurface memories from their old social media posts.
However, the company has revealed that its cloud computing service was recently hacked and the data of 21 million users was stolen.
Most of the data included user names and email addresses.
Around 4.7 million people – or one in five affected users – may have also had their phone number compromised.
Timehop said that the details were stolen because it didn’t use two factor authentication (2FA) on its cloud computing login.
Scroll down for video
A massive data breach on Timehop app has exposed the private details of more than 21 million people, according to a new report. The service (pictured) links to users’ social media accounts and claims to be ‘reinventing reminiscing’ by resurfacing old photos and posts
The New York-based firm discovered the attack at 2:04am US Eastern Time (7:04am BST) on July 4.
It was closed down just two hours and 19 minutes later.
‘We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken’, a spokesperson wrote in a blog post.
The company said names, email address and some phone numbers were breached as well as encryption keys.
These ‘keys’ allow Timehop to read and show people’s social media posts, but not their private messages.
‘We have deactivated these keys so they can no longer be used by anyone’, the company said.
Users were logged out of the app in order to reset all the keys.
The breach also led to a loss of access tokens that the service uses to access users’ posts on other social networks.
There was a ‘short time window during which it was theoretically possible for unauthorised users to access those posts’ but there is ‘no evidence that this actually happened’, according to the blog post.
Around 4.7 million people – or one in five affected users – has also had their phone number attached to their account breached (stock image)
HOW CAN YOU PROTECT YOUR INFORMATION ONLINE?
Because hackers are becoming more creative, security experts are warning that consumers need to take all possible measures to protect their identities (file photo)
- Make your authentication process two-pronged whenever possible. You should choose this option on websites that offer it because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information.
- Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Some fraudsters have begun to immediately discount secure phones altogether. Installing anti-malware can also be beneficial.
- Subscribe to alerts. A number of institutions that provide financial services, credit card issuers included, offer customers the chance to be notified when they detect suspicious activity. Turn those notifications on to stay informed about credit card activity linked to your account.
- Be careful when issuing transactions online. Again, some institutions offer notifications to help with this, which will alert you when your card is used online. It might also be helpful to institute limits on amounts that can be spent with your card online.
The company says these tokens have been revoked and will no longer work for users.
‘No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected’, the company said.
Timehop says its has notified all its European users of the breach.
Users who used their phone number to login are advised by the company to contact their mobile provider in order to make sure their number cannot be ported.
‘The breach occurred because an access credential to our cloud computing environment was compromised’, the company said.
‘That cloud computing account had not been protected by multifactor authentication.
‘We have now taken steps that include multifactor authentication to secure our authorisation and access controls on all accounts’, the blog post said.
The New York-based startup discovered the attack at 2:04am US Eastern Time (7:04am BST) on July 4. It was closed down just two hours and 19 minutes later