Timehop Breach Exposes 21 Million Email Addresses

Most people can't remember everything they post on Facebook, Twitter and Instagram. That's where Timehop comes in. The service automatically finds the stuff you shared on today's date in previous years and makes it easy to re-post those memories. It's not exactly revolutionary, but many people appreciate those digital time capsules. However, Timehop has also attracted the attention of some unwanted guests as the company announced this weekend that someone broke into its network on July 4.

Timehop said the data breach affected roughly 21 million of its users. All of them had their names, email addresses and part of the access tokens used to collect information from their social media profiles compromised. Roughly 4.7 million of the accounts had phone numbers connected to them which were also compromised.

Because Timehop is a free service, no payment information was affected by the data breach. The company said no other private data, such as direct messages or Social Security Numbers (SSNs), leaked.

The nature of Timehop's service limited the severity of this breach. Timehop doesn't scour your private messages, ask for your SSN, or seek access to more sensitive information. It's a relatively simple tool that gathers things you publicly shared; a hacker probably could've found the same information with a basic search of your social media. But this isn't to say that the breach doesn't matter--millions of people still had their names, email addresses and phone numbers exposed--however, it's not as alarming as other recent data breaches.

Here's what Timehop said about how it plans to improve security after the intrusion:

"We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We immediately began actions to deauthorize compromised access tokens, and ... worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases."

The company has also notified government authorities, contracted an outside firm and conducted its own investigation to learn more about the incident. This is a standard response to data breaches. Still, the company's actions might frustrate some users since it requires they give Timehop access to their accounts again. But that's the price of caution. It's better to make people sign back in to Timehop and reauthorize its access to social media accounts than to let whoever stole these access tokens use them unhindered.

No data breach is a good data breach, but in Timehop's case, it seems the company handled things the best they could. Timehop neither gathered unnecessary data to sell to advertisers, nor did it keep copies of users' social media content. It also responded swiftly to the breach (even though it occurred on a U.S. holiday). Timehop said it kicked the intruders out of its systems roughly two hours after they were discovered. Unlike some other companies (ahem, Polar), it also linked directly to the security notice on its homepage.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • 10tacle
    If you give your personal information to Facebook and whatnot, you are a useful idiot. I find it interesting how so many people out in public don't want their faces recognized and get upset when others take photos of them, but yet said people have no problem revealing their personal lives and every walking minute of where they are to Facebook with the "check in" connection. You can't fix stupid.
  • excalibur1814
    "You are a useful idiot. " - Please step down from your high chair.
  • 10tacle
    21127960 said:
    "You are a useful idiot. " - Please step down from your high chair.

    Oh okay. So I will assume then that you had no problem with Facebook trying to backdoor gather health care records of users (if you missed that story here on Tom's, look it up). Fine. I'll step down from my high horse and sit back and watch people whine when their personal information is exposed publicly for free entertainment.

    PS: Facebook right now is under a co-team investigation by the FBI, DOJ, SEC, and FTC for civil violations. Like I said: useful idiots.
  • Mpablo87
    Re-posting memories looks nice. But i'm afraid of the hackers. But it's only your choice. It's your life and your own risk.