A Popular Social Media App Says It Was Breached, Affecting 21 Million

[Shutterstock - ESB Professional]

Daily Caller News Foundation logo
Eric Lieberman Deputy Editor
Font Size:

Timehop, an app often found on social media platforms like Facebook, Instagram and Twitter, said Sunday that a breach of its systems affected 21 million accounts.

The virtual intrusion occurred on July 4. It essentially happened, according to the company, because the cloud-computing servers were for some reason not protected by multi-factor authentication, which is the process of utilizing at least two means for establishing credentials: personal identification numbers, ATM cards or phone numbers, alpha-numerical or pattern passwords, or even biometric data, such as a fingerprint, among others. Two-factor authentication is one of the most basic, but important ways to safeguard data, and is suggested by almost every cybersecurity expert.

The network attack was detected soon after and was stopped only a little more than two hours later, says Timehop. Still, roughly 21 million accounts were “affected with a name and email.” And just under 22 percent, or 4.7 million of “those accounts have a phone number attached to them.”

Timehop says it has no evidence as of yet that the data obtained by the online menaces have been used in any way. “All the access keys have been de-authorized and cannot be used,” it says on the blog post announcing the incident, meaning that reentry the same way again is unlikely.

“Timehop has retained the services of a well established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users,” the company added. However, “while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.”

Users’ names, email addresses, and for some, phone numbers, have been compromised. But, arguably of most importance, is the concession that “‘access tokens’ provided to Timehop by our social media providers were also taken.”

An “access token … is sort of similar to the way your bank uses a routing number and account number to send money,” the Timehop post reads. “These tokens could allow a malicious actor to view without permission some of your social media posts. (as you will read below, we have terminated these tokens and they can no longer be used).” (RELATED: US Government Says Any Day Now For Hacking Of Airliner)

After downloading, Timehop resurfaces old social media posts and other content to provide users with nostalgia and once-forgotten memories. Partners include Facebook, Twitter, Instagram, Dropbox, and several others. Facebook, though, seeing Timehop’s success, rolled out its own version of the app in early 2015 directly for its users called “On This Day.”

The Daily Caller News Foundation reached out to Facebook to see if or how the breach affected its users.

Timehop suggests reaching out to the mobile wireless service companies, like AT&T, Sprint, Verizon, and T-Mobile, that are personally and respectively used to ensure that phone numbers cannot be “ported,” a trick used by hackers to steal further information. It also notes that some content may be inaccessible for some time, and that when logging into one’s account, permission will be needed again for particular features of the app.

Follow Eric on Twitter

Send tips to

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact