Data collected by smartphone app Timehop on its entire customer base of 21 million users was compromised following a security incident, the company confirmed on its website on July 4.
According to their statements, the breach was detected within two hours and 19 minutes, while the attack was still in progress, and only some user data was compromised, including names, emails, a few phone numbers and access keys that linked user social profiles to Timehop.
What led to the breach was a vulnerable cloud computing environment with an account that lacked two-factor-authentication.
“The breach occurred because an access credential to our cloud computing environment was compromised,” reads the statement. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”
The company assures account holders that no messages, financial data, photos or social media posts were compromised in the breach.
“To reiterate: none of your ‘memories’ – the social media posts & photos that Timehop stores – were accessed,” Timehop said. “We have no evidence that any accounts were accessed without authorization.”
Access keys were deactivated and users logged out of their accounts as a preventative measure. The company is collaborating with law enforcement and security experts to reduce impact. Also, they assure users that none of their credit card or financial data has been stored on their servers, nor location data, IP addresses or copies of their profiles and content.
Timehop is a memento collector, it mines user photos and posts from social networks and from Dropbox and resurfaces them online.