Timehop has shared additional details regarding the recent data breach that impacts nearly 21 million users, claiming that additional personally identifiable information (PII) was compromised during the attack.

The firm originally disclosed the breach in a blog post last Saturday claiming one or more hackers gained unauthorized access to a database storing the usernames, phone numbers, email addresses, and social media access tokens for all Timehop users. Now the firm claims that users’ dates of birth, gender of customers, and country codes have also been breached.  

The investigation into the incident is still ongoing, but so far the company believes the hacker walked away with 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers.

Timehop was originally targeted on December 19, 2017, when an authorized admin user’s credentials were used by an unauthorized user to log into the firms cloud computing environment, where the hacker created a new admin account and has been conducting reconnaissance activities in the firms cloud environment up until July 4 when finally spotted by Timehop.

On July 4 the hacker made a copy of the user database and then changed the password, leading to service disruptions and internal alerts being triggered. Unfortunately, it took Timehop almost 24 hours to determine that it had been breached after the first alert.

In the update published on Wednesday, the firm claimed, “In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything”. The update also includes the number of impacted PII records covered by the recently introduced GDPR.   Here is a detailed breakdown of the number of breach GDPR records compromised in the security breach:

Type of Personal Data Combination

# of Breached Records

# of Breached GDPR Records

Name, email, phone, DOB

3.3 million


Name, email address, phone

3.4 million


Name, email address, DOB

13.6 million

2.2 million

Name, phone number, DOB

3.6 million


Name and email address

18.6 million

2.9 million

Name and phone number

3.7 million


Name and DOB

14.8 million

2.5 million

Name total

20.4 million

3.8 million

DOB total

15.5 million

2.6 million

Email addresses total

18.6 million

2.9 million

Gender designation total

9.2 million

2.6 million

Phone numbers total

4.9 million


Under the General Data Protection Regulation (GDPR), companies must report breaches to supervisory authorities within 72 hours of discovering the breach. Many security researchers believe this timeframe was not enough for Timehop to determine the full scope of the breach, which led to the company sharing misleading information with victims.

While the accelerated disclosure timeline may have led to some miscommunication, the firm’s classic mistake of not doing two-factor authentication is inexcusable. Two-factor authentication, combined with intelligent Change Control to monitor for any configuration changes made would have helped Timehop significantly reduce its likelihood of being breached.



NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.