21 million users affected by intrusion on app’s cloud storage

UPDATE As the investigation continues, Timehop has revealed further information that was compromised, including dates of birth, gender, and the country codes belonging to 21 million users. Further details can be found here.

A mobile application that collects and distributes old posts and pictures from social media has reported a data breach affecting 21 million users.

Timehop, the app in question, announced in a blog post yesterday that an unauthorized user had gained access to its cloud storage and entire database in December of last year.

Usernames, email addresses and approximately 4.7 million phone numbers were stolen, but no “private/direct messages, financial data, social media or photo content” were accessed, the company said.

Access keys, however, which sync the Timehop app to a user’s various social media accounts, and that would allow an attacker access to them, were compromised.

Timehop has “deactivated these keys so they can no longer be used by anyone,” meaning users will now have to re-authenticate the app for further use.

The company announced it was also introducing multifactor authentication to accounts – which was not an option before the hack – for added security.

The initial incident occurred on December, 19, but the company was not made aware of the intrusion until July, 4 when “the attacker(s) conducted activities including an attack against the production database, and transfer of data,” triggering an alarm with Timehop security engineers.

“Once we recognized that there had been a data security incident, Timehop's CEO and COO contacted the Board of Directors and company technical advisors; informed federal law enforcement officials; and retained the services of a cyber security incident response company, a cyber security threat intelligence company; and a crisis communications company,” Timehop said.

An ongoing investigation, which formally began on July, 5, has pointed to the unauthorized user having accessed Timehop’s cloud storage at least six times between the period of December 19 to July 4, after creating a new administrative user account.

“This preliminary understanding of the timeline and activities of the attackers brought home that we needed to immediately conduct a user audit and permissions inventory; change all passwords and keys; add multifactor authentication to all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider); revoke inappropriate permissions; increase alarming and monitoring; and perform various other technical tasks related to authentication and access management and the introduction of more pervasive encryption throughout our environment,” Timehop said.

The company added that it had seen no evidence of fraud, and that not all usernames taken were the real names of individuals.