If you’re a Timehop user, we’ve got some really bad news. The app, which reminds you of your past social media postings, says it was hacked on July 4.
Timehop says some 21 million users are affected by the data breach, which exposed information such as names, email addresses, and phone numbers.
In a company blog post, Timehop says although it learned of the hack while it was happening and was able to interrupt it, “data was taken.”
The cause of the hack: Apparently, the company’s cloud computing account wasn’t protected by multi-factor authentication. Timehop says it’s beefed up its security since the incident.
(Now’s a good time to remind you to set up two-factor authentication, aka 2FA, to protect your data for any apps and services that support it. There’s really no reason not to.)
Timehop says the “keys” that are used to link your social media accounts to the app were breached. As a result, the company’s logged all users out of the app to reset the keys. Users will need to log back into all their accounts to re-link them.
“Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”
Your social media content is safe
Aside from the aforementioned names, email, addresses, and phone numbers, it appears all other data is safe.
“No private/direct messages, financial data, or social media, or photo content, or Timehop data including streaks were affected,” the blog post states.
Additionally, the company says no social media posts were accessed by the intruders. That covers any data from third-party services you may have linked to Timehop, such as Facebook, Instagram, Twitter, Google Photos, Swarm, Dropbox, etc.
How to protect your potentially stolen phone number
There are two ways to log into Timehop: with a Facebook account or your phone number.
If, like me, you use Facebook to log into the app, your phone number is safe.
“FB’s API wouldn’t have given a phone number to us, nor would it allowed the use of a phone number to access anything,” Rick Webb, Timehop’s COO, confirmed to Mashable over email. “On top of that, the tokens were invalidated before used.”
However, if you use your phone number as your sign-in, then it’s been stolen by the hackers and you’ll want to take extra measures to protect it from being ported. As 9to5Mac notes, ported numbers could be used to obtain 2FA codes for bank accounts.
“Those who use a phone number as a login had their phone number compromised, but it is unrelated to their FB credentials,” Webb said.
Timehop says of the 21 million accounts that are affected by the hack, about 4.7 million of them have a phone number attached to them.
Here’s what Timehop recommends doing if you use your phone number as your login:
If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.
If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.
For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.
Should you be worried?
Even though Timehop has increased its security, the stolen data could still surface online. If your account is affected, make sure you keep an eye out for any suspicious activity.
Timehop even warns there’s a good chance the stolen data could surface (emphasis ours):
Timehop has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.
If you don’t use Timehop, now’s a good time to either delete your account or de-authorize any connected social media accounts. Both can be done from within the app’s settings page.