Timehop has shared additional details regarding the recent data breach that impacts nearly 21 million users, claiming that additional personally identifiable information (PII) was compromised during the attack.
The firm originally disclosed the breach in a blog post last Saturday claiming one or more hackers gained unauthorized access to a database storing the usernames, phone numbers, email addresses, and social media access tokens for all Timehop users. Now the firm claims that users’ dates of birth, gender of customers, and country codes have also been breached.
The investigation into the incident is still ongoing, but so far the company believes the hacker walked away with 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers.
Timehop was originally targeted on December 19, 2017, when an authorized admin user’s credentials were used by an unauthorized user to log into the firms cloud computing environment, where the hacker created a new admin account and has been conducting reconnaissance activities in the firms cloud environment up until July 4 when finally spotted by Timehop.
On July 4 the hacker made a copy of the user database and then changed the password, leading to service disruptions and internal alerts being triggered. Unfortunately, it took Timehop almost 24 hours to determine that it had been breached after the first alert.
In the update published on Wednesday, the firm claimed, “In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything”. The update also includes the number of impacted PII records covered by the recently introduced GDPR. Here is a detailed breakdown of the number of breach GDPR records compromised in the security breach:
Type of Personal Data Combination |
# of Breached Records |
# of Breached GDPR Records |
Name, email, phone, DOB |
3.3 million |
174,000 |
Name, email address, phone |
3.4 million |
181,000 |
Name, email address, DOB |
13.6 million |
2.2 million |
Name, phone number, DOB |
3.6 million |
189,000 |
Name and email address |
18.6 million |
2.9 million |
Name and phone number |
3.7 million |
198,000 |
Name and DOB |
14.8 million |
2.5 million |
Name total |
20.4 million |
3.8 million |
DOB total |
15.5 million |
2.6 million |
Email addresses total |
18.6 million |
2.9 million |
Gender designation total |
9.2 million |
2.6 million |
Phone numbers total |
4.9 million |
243,000 |
Under the General Data Protection Regulation (GDPR), companies must report breaches to supervisory authorities within 72 hours of discovering the breach. Many security researchers believe this timeframe was not enough for Timehop to determine the full scope of the breach, which led to the company sharing misleading information with victims.
While the accelerated disclosure timeline may have led to some miscommunication, the firm’s classic mistake of not doing two-factor authentication is inexcusable. Two-factor authentication, combined with intelligent Change Control to monitor for any configuration changes made would have helped Timehop significantly reduce its likelihood of being breached.