A massive data breach on Timehop has exposed the private details of more than 21 million users.
The service links to users’ social media accounts to resurface memories from their old social media posts.
However, the company has revealed that its cloud computing service was recently hacked and the data of 21 million users was stolen.
Most of the data included user names and email addresses.
Around 4.7 million people – or one in five affected users – may have also had their phone number compromised.
Timehop said that the details were stolen because it didn’t use two factor authentication (2FA) on its cloud computing login.
A massive data breach on Timehop app has exposed the private details of more than 21 million people, according to a new report. The service (pictured) links to users’ social media accounts and claims to be ‘reinventing reminiscing’ by resurfacing old photos and posts
The New York-based firm discovered the attack at 2:04am US Eastern Time (7:04am BST) on July 4.
It was closed down just two hours and 19 minutes later.
‘We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken’, a spokesperson wrote in a blog post.
The company said names, email address and some phone numbers were breached as well as encryption keys.
These ‘keys’ allow Timehop to read and show people’s social media posts, but not their private messages.
‘We have deactivated these keys so they can no longer be used by anyone’, the company said.
Users were logged out of the app in order to reset all the keys.
The breach also led to a loss of access tokens that the service uses to access users’ posts on other social networks.
There was a ‘short time window during which it was theoretically possible for unauthorised users to access those posts’ but there is ‘no evidence that this actually happened’, according to the blog post.
Around 4.7 million people – or one in five affected users – has also had their phone number attached to their account breached (stock image)
The company says these tokens have been revoked and will no longer work for users.
‘No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected’, the company said.
Timehop says its has notified all its European users of the breach.
Users who used their phone number to login are advised by the company to contact their mobile provider in order to make sure their number cannot be ported.
‘The breach occurred because an access credential to our cloud computing environment was compromised’, the company said.
‘That cloud computing account had not been protected by multifactor authentication.
‘We have now taken steps that include multifactor authentication to secure our authorisation and access controls on all accounts’, the blog post said.
The New York-based startup discovered the attack at 2:04am US Eastern Time (7:04am BST) on July 4. It was closed down just two hours and 19 minutes later