Timehop has shared additional details regarding the recent data breach that impacts nearly 21 million users, claiming that additional personally identifiable information (PII) was compromised during the attack.

The firm originally disclosed the breach in a blog post last Saturday claiming one or more hackers gained unauthorized access to a database storing the usernames, phone numbers, email addresses, and social media access tokens for all Timehop users. Now the firm claims that users’ dates of birth, gender of customers, and country codes have also been breached.  

The investigation into the incident is still ongoing, but so far the company believes the hacker walked away with 20.4 million names, 15.5 million dates of birth, 18.6 million email addresses, 9.2 million gender designations, and 4.9 million phone numbers.

Timehop was originally targeted on December 19, 2017, when an authorized admin user’s credentials were used by an unauthorized user to log into the firms cloud computing environment, where the hacker created a new admin account and has been conducting reconnaissance activities in the firms cloud environment up until July 4 when finally spotted by Timehop.

On July 4 the hacker made a copy of the user database and then changed the password, leading to service disruptions and internal alerts being triggered. Unfortunately, it took Timehop almost 24 hours to determine that it had been breached after the first alert.

In the update published on Wednesday, the firm claimed, “In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything”. The update also includes the number of impacted PII records covered by the recently introduced GDPR.   Here is a detailed breakdown of the number of breach GDPR records compromised in the security breach:

Type of Personal Data Combination

# of Breached Records

# of Breached GDPR Records

Name, email, phone, DOB

3.3 million


Name, email address, phone

3.4 million


Name, email address, DOB

13.6 million

2.2 million

Name, phone number, DOB

3.6 million


Name and email address

18.6 million

2.9 million

Name and phone number

3.7 million


Name and DOB

14.8 million

2.5 million

Name total

20.4 million

3.8 million

DOB total

15.5 million

2.6 million

Email addresses total

18.6 million

2.9 million

Gender designation total

9.2 million

2.6 million

Phone numbers total

4.9 million


Under the General Data Protection Regulation (GDPR), companies must report breaches to supervisory authorities within 72 hours of discovering the breach. Many security researchers believe this timeframe was not enough for Timehop to determine the full scope of the breach, which led to the company sharing misleading information with victims.

While the accelerated disclosure timeline may have led to some miscommunication, the firm’s classic mistake of not doing two-factor authentication is inexcusable. Two-factor authentication, combined with intelligent Change Control to monitor for any configuration changes made would have helped Timehop significantly reduce its likelihood of being breached.



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.