Most people can't remember everything they post on Facebook, Twitter and Instagram. That's where Timehop comes in. The service automatically finds the stuff you shared on today's date in previous years and makes it easy to re-post those memories. It's not exactly revolutionary, but many people appreciate those digital time capsules. However, Timehop has also attracted the attention of some unwanted guests as the company announced this weekend that someone broke into its network on July 4.
Timehop said the data breach affected roughly 21 million of its users. All of them had their names, email addresses and part of the access tokens used to collect information from their social media profiles compromised. Roughly 4.7 million of the accounts had phone numbers connected to them which were also compromised.
Because Timehop is a free service, no payment information was affected by the data breach. The company said no other private data, such as direct messages or Social Security Numbers (SSNs), leaked.
The nature of Timehop's service limited the severity of this breach. Timehop doesn't scour your private messages, ask for your SSN, or seek access to more sensitive information. It's a relatively simple tool that gathers things you publicly shared; a hacker probably could've found the same information with a basic search of your social media. But this isn't to say that the breach doesn't matter--millions of people still had their names, email addresses and phone numbers exposed--however, it's not as alarming as other recent data breaches.
Here's what Timehop said about how it plans to improve security after the intrusion:
"We immediately conducted a user audit and permissions inventory; changed all passwords and keys; added multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoked inappropriate permissions; increased alarming and monitoring; and performed various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We immediately began actions to deauthorize compromised access tokens, and ... worked with our partners to determine whether any of the keys have been used. We will employ the latest encryption techniques in our databases."
The company has also notified government authorities, contracted an outside firm and conducted its own investigation to learn more about the incident. This is a standard response to data breaches. Still, the company's actions might frustrate some users since it requires they give Timehop access to their accounts again. But that's the price of caution. It's better to make people sign back in to Timehop and reauthorize its access to social media accounts than to let whoever stole these access tokens use them unhindered.
No data breach is a good data breach, but in Timehop's case, it seems the company handled things the best they could. Timehop neither gathered unnecessary data to sell to advertisers, nor did it keep copies of users' social media content. It also responded swiftly to the breach (even though it occurred on a U.S. holiday). Timehop said it kicked the intruders out of its systems roughly two hours after they were discovered. Unlike some other companies (ahem, Polar), it also linked directly to the security notice on its homepage.
