Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.
Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.
The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.
"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website.
Social Media OAuth2 Tokens Also Compromised
Moreover, the attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images.
With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.
However, Timehop claims that all the compromised tokens were deauthorized and made invalid within a "short time window" after the company detected the breach on its network on July 4th at 4:23 PM Eastern Time.
Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.
Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.
Timehop immediately logged out all of its users of the app after the company invalidated all API credentials, which means you will need to re-authenticate each of your social media accounts to the app when you log into your Timehop account to generate a new token.
The company is also working with security experts and incident response professionals, local and federal law enforcement officials, and its social media providers to minimize the impact of the breach on its users.