Timehop has shared additional details regarding the recent data breach that impacts nearly 21 million users, claiming that additional personally identifiable information (PII) was compromised during the attack.

The firm originally disclosed the breach in a blog post last Saturday claiming one or more hackers gained unauthorized access to a database storing the usernames, phone numbers, email addresses, and social media access tokens for all Timehop users. Now the firm claims that users’ dates of birth, gender of customers, and country codes have also been breached.  

The investigation into the incident is still ongoing, but so far the company believes the hacker walked away with 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers.

Timehop was originally targeted on December 19, 2017, when an authorized admin user’s credentials were used by an unauthorized user to log into the firms cloud computing environment, where the hacker created a new admin account and has been conducting reconnaissance activities in the firms cloud environment up until July 4 when finally spotted by Timehop.

On July 4 the hacker made a copy of the user database and then changed the password, leading to service disruptions and internal alerts being triggered. Unfortunately, it took Timehop almost 24 hours to determine that it had been breached after the first alert.

In the update published on Wednesday, the firm claimed, “In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything”. The update also includes the number of impacted PII records covered by the recently introduced GDPR.   Here is a detailed breakdown of the number of breach GDPR records compromised in the security breach:

Type of Personal Data Combination

# of Breached Records

# of Breached GDPR Records

Name, email, phone, DOB

3.3 million


Name, email address, phone

3.4 million


Name, email address, DOB

13.6 million

2.2 million

Name, phone number, DOB

3.6 million


Name and email address

18.6 million

2.9 million

Name and phone number

3.7 million


Name and DOB

14.8 million

2.5 million

Name total

20.4 million

3.8 million

DOB total

15.5 million

2.6 million

Email addresses total

18.6 million

2.9 million

Gender designation total

9.2 million

2.6 million

Phone numbers total

4.9 million


Under the General Data Protection Regulation (GDPR), companies must report breaches to supervisory authorities within 72 hours of discovering the breach. Many security researchers believe this timeframe was not enough for Timehop to determine the full scope of the breach, which led to the company sharing misleading information with victims.

While the accelerated disclosure timeline may have led to some miscommunication, the firm’s classic mistake of not doing two-factor authentication is inexcusable. Two-factor authentication, combined with intelligent Change Control to monitor for any configuration changes made would have helped Timehop significantly reduce its likelihood of being breached.



The Most Powerful & Reliable Cybersecurity Products
Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.