21 Million Exposed in Timehop Data Breach: What to Do Now

UPDATED 4 p.m. Eastern time Friday July 13 with additional information from Timehop regarding the types of personal information compromised.

Your personal information may be at risk.

The creators of the Timehop app, which collects and distributes old social media posts from Facebook, Instagram and Twitter, announced yesterday (July 8) that it had "experienced a network intrusion that led to a breach of some of your data."

Credit: Piotr Swat/ShutterstockCredit: Piotr Swat/Shutterstock

"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken," the post added.

The compromised data included "names, email addresses, and some phone numbers," Timehop's statement continued, but "no private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected."

The statement says that 21 million app were impacted, which is the entirety of its user database. Timehop uses phone numbers rather than usernames and passwords to create user accounts, so no passwords were compromised.

MORE: What to Do After a Data Breach

The initial intrusion took place back on Dec. 19, 2017, according to a more technical Timehop blog post about the incident. An "unauthorized user" used stolen administrative credentials to log into Timehop's account with an unnamed cloud-computing provider. (The administrative account was not protected by two-factor authentication, a serious oversight which has since been corrected.)

The intruder then logged into this account on administrative four separate occasions between December 2017 and June 2018, and then began pulling data from the company's database July 4. Timehop was able to lock out the attacker later that same day.

The attacker obtained some names, email addresses and phone numbers, Timehop said. More importantly, he or she also took some access tokens, the long-term temporary keys that let Timehop access users' social-media accounts and parse them for old posts. Possession of access tokens may have granted the intruder access to old posts as well.

Screenshot: Timehop/gque74Screenshot: Timehop/gque74

But don't panic: Timehop claims it has no evidence that the attacker used these access tokens to get into users' accounts. It has also deauthorized the compromised tokens.

This means that next time you open Timehop, you'll need to log into the app again and reconnect each service you want to use with the app. We also recommend that you sign in and out of the apps you've linked to Timehop in the past, as that will clear any access tokens you're currently using. (UPDATE: You might want to change the passwords on those accounts as well.) You should also generally be wary of where you link your social media accounts and enter your phone number.

Because user phone numbers were also leaked, there's a real risk that attackers may seek to transfer those numbers to their own mobile phones, which could greatly jeopardize your online banking, email and social-media accounts. To prevent that, follow the steps outlined in our story How to Prevent Your Phone Number from Being Hijacked.

UPDATE: On July 11, Timehop added to its blog post that users' dates of birth, countries of residence and gender were also compromised in the data breach. That's serious, because a date of birth makes identity theft much easier when combined with a full or partial name (which almost all the compromised Timehop records contained) plus any street address that could be revealed by searching for the full name on Facebook or Google. A total of 15 million Timehop users had their dates of birth revealed.

If you use Timehop, you might want to consider instituting a credit alert (we have instructions on how to do so here) and possibly subscribing to an identity-protection service.

Best Identity Protection: Our Top Picks

Create a new thread in the Antivirus / Security / Privacy forum about this subject
2 comments
Comment from the forums
    Your comment
  • vfox126
    Why is a company data mining old social media posts. Shouldn't this be illegal. Isn't this basically what facebook just got in trouble for? I would like to start a new movement called Keep It To Yourself. This is where everybody keeps all there own experiences to themselves. Lets be honest no one really cares what you ate for lunch or that you went to the beach except you.
  • racksmith101
    Count me in for joining that!