Skip to main content

Timehop data breach may have compromised 21 million email addresses

Image used with permission by copyright holder

Names and email addresses of as many as 21 million Timehop users may have been compromised as a result of a data breach that occurred on July 4. Timehop, a service that aggregates old photos and posts from various social media accounts — including Facebook, Instagram, Twitter, Google Photos, and Dropbox — discovered the attack on its service as it was unfolding, but it took several hours for the company to contain the breach.

“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data,” the company revealed a few days following the breach. “At 2:43 pm U.S. Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 p.m., Timehop engineers had begun to implement security measures to restore services and lock down the environment.”

Recommended Videos

Timehop’s initial investigation revealed that no user content was compromised as a result of the breach. Engineers deactivated keys that linked Timehop’s service with other social media platforms as a response, so users will have to re-authenticate with those services. Still, in addition to names and email addresses, as many as 4.7 million phone numbers may have also been exposed as a result of the attack, TechCrunch reported.

“While we were confident that the access keys to those services had not been used, we felt that potential exposure of that content urgently justified a service interruption to ensure that attackers could not, for example, view personal photos,” the company said. “Through conversations with the information security, engineering, and communications staff at these providers, we were able to deactivate the keys and confirm that no photos had been compromised.” Timehop further noted that these tokens would not have given anyone access to private information, such as Facebook Messenger messages or Twitter Direct Messages.

According to the company, the first stage of the attack occurred on December 19, 2017 when an unauthorized user obtained the credentials of an administrative user to create a new administrative-level account. The attacker was able to do this because the original administrative account was not protected by multi-factor authentication, and Timehop has since taken steps to secure accounts to prevent another similar attack from happening. The attacker used the newly created administrative account to log into Timehop’s servers in March and June, with the attack taking place in July.

Although the attacker may have had access to some of your social posts on Facebook, Instagram, and Twitter, Timehop informed users that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts.” Despite the security breach, Timehop maintains that it found “no evidence that any accounts were accessed without authorization,” and it claims that because it pulls only the data that it needs for the service, it was able to minimize a potentially larger exposure.  Timehop has notified law enforcement about the breach and retained the services of a cybersecurity agency to monitor the dark web to ensure that user data doesn’t get leaked.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
When is the best time to post on Facebook?
A smartphone with the Facebook app icon on it all on a white marble background.

Knowing when to publish your Facebook posts to gain maximum exposure is important if you're trying to bring more attention to your brand or business. But figuring out the best timing can be a bit tricky as there's no real clear-cut answer that works for every Facebook page. And that's because the optimal timing for different Facebook pages will vary depending on the browsing/viewing habits of their respective audiences.

In the guide below, we'll answer a few of your questions about when to post on Facebook (generally), and we'll mention some ways to figure out the best publish times for your specific Facebook page.
Is it better to post in the morning or at night?

Read more
We may have just seen the Meta Quest Pro, and it looks super sleek
A hand holds a white Meta Quest Pro box with an iimage of the headset on the front

Meta is expected to launch a "Meta Quest Pro" VR set sometime this year, and the first images of this mythical device may have just surfaced online.

The Verge reported on a prototype of the top-secret headset left behind in a hotel room and subsequently discovered by Facebook Gaming personality Ramiro Cardenas, aka Zectariuz Gaming.

Read more
Chrome extensions with 1.4M users may have stolen your data
Google Chrome icon in mac dock.

McAfee researchers have discovered various Google Chrome extensions that steal browsing activity, with the add-ons racking up more than a million downloads.

As reported by Bleeping Computer, threat analysts at the digital security company have come across a total of five such malicious extensions.

Read more