Timehop, an application that collects old photos and posts from social media on today’s date in previous years, has disclosed a security breach that compromised the personal data of 21 million users.
The attack was discovered on 4th July and the company was able to shut it down two hours after the breach had started. The hacker is believed to have accessed Timehop’s cloud computing account, transferred data and attacked the organisations production database. The data stolen included names and email addresses. It is reported a fifth of Timehop’s users (4.7 million) have had their phone numbers breached in the attack as well.
Since Timehop is a free service, no payment information was leaked. Also, users’ private messages, social media content and Timehop data were not affected.
According to its preliminary of the incident, the attacker first entered Timehop’s cloud environment on 19th December 2017. The attacker had access through an admin user’s credentials and created a new admin account. The account was then logged into twice in December, once in March and once in June to survey Timehop’s cloud data before the attack was launched on Independence Day in the US.
Timehop have reassured users a cyber-threat intelligence company has been employed to track whether the personal data breached will feature on forums and lists on the internet and the dark web.
Timehop have also announced the attacker could have viewed user’s social media posts on Facebook, Twitter and Instagram, however they have no evidence of this.
“It is important that we tell you that there was short time window during which it was theoretically possible for unauthorized users to access those posts” the organisation stated.
In response to the breach, Timehop has shut down access so if users want to continue using the app, they will have to reauthorize it. The organisation has also added multifactor authentication to its cloud-based accounts, increased its monitoring and informed law enforcement.
A spokesperson for Timehop said it’s still investigating why there was a security lapse “as we do in general make use of it”. “But this employee was here for so long, from back when we were just a baby company, so it seems something got overlooked”.
In a blog post, Timehop made reference to GDPR which is the regulation that lays down rules relating to the protection of natural persons with regards to the processing of personal data and rules relating to the free movement of personal data.
“Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort”.
If you have any questions regarding a data breach, please get in touch with a member of the oneHR team!
Phone: 0845 509 6854
Tweet: @oneHR_Back to News