A recent Timhop database breach, occuring on the Fourth of July, might affect as many as 21 million users, due to a lack of multi-step verification…
Timehop, the mobile app which connects users’ social profiles to resurface old pics and videos, states its database was breached on July 4th. The stolen data mostly pertains to user names and email addresses of up to 21 million people. However, it also exposed the phone numbers of 4.7 million accounts.
Additionally, “tokens” provided by social media profiles to the app to gain end-user access of posts and other content, were also taken. With access tokens available to hackers, it’s possible for them to view users’ social media posts without owner permission. However, Timehop states it deactivated the tokens, meaning these cannot be used to gain such access.
Timehop Database Breach affects 21 Million Users
The Timehop database breach occurred due to a lack of multi-step verification. This is a common practice among companies with large amounts of user data. Timehop reset all its passwords. And, the company now applies multi-factor authentication to all accounts connected to its cloud-based services.
At this time, the company states there is no evidence the stolen data is being used. It’s also complying with the newly enacted European GDPR law by notifying all relevant users.
For those who have recently signed into Timehop with their phone numbers, it’s highly advisable to contact their mobile carriers. It’s strongly recommended to set up a new, secure passcode to protect theft or porting of mobile phone numbers.
“If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this. If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number. For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.”
Read the full disclosure announcement here.