Photo and memory sharing app Timehop revealed yesterday that it had suffered a major data breach. In a statement, the app developers confirmed that some customer data had been stolen, including names, email addresses, and phone numbers.
UPDATE, 11 July: Timehop has subsequently announced that additional information, including user dates of birth and gender, were taken in the hacking as well.
Timehop, an app which searches back through your social media profiles to resurface nostalgic memories, suffered the data breach on July 4 and it affects some 21 million users from around the world.
We explain what happened in the Timehop data hack, plus what you need to do if you're a Timehop user.
Timehop Data Hack – What Happened?
At about 2pm ET on July 4, Timehop discovered that it had been attacked after an access credential (basically, a login) for its cloud computing environment had been compromised. However, Timehop was able to lock the hackers out of its system by 4.30pm.
Unfortunately, this proved too late, as the hackers had made off with some user data. This included, according to a blog post on Timehop’s website:
“Names, email addresses, and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.
“To reiterate: none of your “memories” – the social media posts & photos that Timehop stores – were accessed.
“Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. We have deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.”
However, as it revealed a few days later, data including dates of birth and gender information was taken. It also stated, in an interview with TechCrunch, that while the hack affected 21 million accounts in total, varying amounts of data was taken for different users. For example, 18.6 million email addresses were compromised while 15.5 million dates of birth were. 3.3 million users had their names, email addresses, phone numbers and DOBs stolen.
What Should You Do If You’re a Timehop User?
Firstly, if you want to carry on using Timehop, you’ll have to log back in to the app. Timehop decided to log all of its users out to avoid further potential data breaches.
Secondly, as phone numbers were taken in the data breach, Timehop recommends that, if you used a phone number to login to the Timehop app, you need to increase your phone’s security. It suggests that you do so in the following ways:
“If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account.
“If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.
“For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.”
In the interview to TechCrunch, a security consultant working for Timehop reiterated the advice that users take the above steps, including password-protecting their phones.
How to Stay Safe Online
If your name, email address or phone number has been taken, it’s unlikely that your entire online presence is now vulnerable. It’s also unlikely that the hackers would be able to worm your way into any other accounts you hold with different companies. You can check if you have been hacked by using a site such as haveibeenpwned.com.
However, to keep your data and information as secure as possible, even in the event of a data breach, such as the one Timehop has suffered, there are several rules that are always worth following:
- Change the password on the affected accounts – this should help to minimise any risk.
- Do not re-use the same password – this will make it harder for hackers to access different accounts.
- Do not, in any circumstance, write your passwords down – this really defeats the point of having a password in the first place.
- Use a password manager – these will provide you with a different, highly secure password for each website or app that you use.
Make sure you're secure online with a password manager
At the moment it’s pretty unclear as to whether users could take any action against Timehop, or whether they have cause for redress. However, the broad scope of the EU’s GDPR regulations mean that there is likely to be some sort of action taken at a high level.