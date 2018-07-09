Social app Timehop has confirmed it suffered a data breach affecting 21 million of its users. The technology company said personal details including names, email addresses and some phone numbers have been compromised as a result of the breach. The app is used by many as a way to see old social media posts from years gone by, stored from the likes of Facebook and Instagram – however, the firm said none of these “memories” posts it stores had been accessed. Timehop confirmed access had been gained to its systems from a compromised account which was not protected by what’s known as multi-factor authentication, where a user must provide two levels of password – sometimes an access code sent to another device linked to that account – before being able to log in. Security experts called the lack of multifactor authentication on Timehop’s systems a “schoolboy error”.

Dan Pitman, senior solutions architect at Alert Logic said: “We’re seeing an increase in breach notification, as organisations do their utmost to adhere to the 72 hour imposed timescales. “Although Timehop were guilty of a ‘schoolboy’ error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly.” In its announcement on the breach, which the company said took place on July 4, Timehop said: “The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. “Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your ‘Memories’ after you’ve seen them.” Timehop said it locked out the hackers just over two hours after they had gained access, and revealed some so-called “access tokens” which enable the app to link with various social media profiles had also been compromised. In response, the company said it has terminated these tokens. It also confirmed it has now introduced multi-factor authentication.

