Timehop, a social app which shows users memories from their social media pages, has confirmed it suffered a data breach affecting millions of users.
Those behind the app said it experienced a network intrusion on July 4 and, although they became aware of the breach while it was still in progress, data was taken.
In a statement posted on its website, the company said the breach occurred because an access credential to its cloud computing environment was compromised.
That cloud computing account had not been protected by multi-factor authentication and steps have now been taken – including multi-factor authentication – to secure authorisation and access controls on all accounts.
The statement said: “Some data was breached. These include names, email addresses and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.”
The company’s statement reiterated that no user ‘memories’ – the posts and photos that Timehop stores – were accessed.
However, keys that let Timehop read and show users their social media posts (but not private messages) were also compromised.
“We have deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our app,” the statement said.
“If you have noticed any content not loading, it is because Timehop deactivated these proactively.
“We have no evidence that any accounts were accessed without authorisation.
“We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimised.”
The firm said the damage was limited because of its long-standing commitment to only use the data it ‘absolutely needs’ to provide its service.
Commenting on the breach, Dan Pitman, Senior Solutions Architect at Alert Logic, said “We’re seeing an increase in breach notification, as organisations do their utmost to adhere to the 72 hour imposed timescales.
“Although Timehop was guilty of a ‘schoolboy’ error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers where not necessary for service and being able to rescind access via the access keys quickly.”