Timehop Data Breach: 21 million Users’ Data Exposed, including Emails, Phone numbers and Access Tokens

Timehop claims that the tokens were deauthorized and made invalid within a “short time window”

Timehop, an application that collects old photos and posts from social media platforms including Facebook, Instagram and gives “what happened on this day” like reminders have recently revealed that on 4th July its cloud computing environment was hacked and data of 21 million users was stolen.

The stolen data included usernames and email address of all users wherein, the phone numbers linked to 4.7 of the 21 million accounts were also stolen.

Besides this, access tokens provided by social media profiles for accessing post and photos were also taken. This may have allowed hackers to view some of the user’s social media posts without their permission.

However, Timehop claims that the tokens were deauthorized and made invalid within a “short time window”, and cannot be used to gain access to users’ social media profiles. The company also claims that no financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.

How did the breach happen?
According to the reports, the breach occurred because of an unauthorised login to the company's cloud computing environment. The company said that on December 19, admin credentials were used an by an unauthorised user to login into its cloud environment, and began reconnaissance activities over the next two days, and logged in twice more leading up to July 4.

The incident report suggests that the attacker might have found a password scheme being used on one portal and hence was able to guess the password accordingly for other un-related portals.

Since the cloud computing account had not been protected by multifactor authentication, once the attacker guessed the admin's password, the data was compromised.


Around The World