In a security advisory posted on its website, Timehop said it voided the keys used to read and show users their past social media posts a few hours after it detected the attack on its network on July 4th at 4:23 PM Eastern Time.
Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users (essentially its entire user base).
Timehop is making it clear that, "No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected". Timehop also pointed out that there was no indication that any account was illegitimately accessed.
According to its preliminary investigation of the incident, the attacker first accessed Timehop's cloud environment in December - using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a United States holiday. Still, the company's actions might frustrate some users since it requires they give Timehop access to their accounts again. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.
The company also says hackers stole "access tokens", which were provided to the company by their social media providers.
Timehop - the social network for those who like to reminisce - has revealed that it fell victim to a security breach on Independence Day. The developer ensures that the contents of the posts users compiled through it, called "memories", were not accessed.
Britain will not put Brexit deal to a new referendum: PM May
May told parliament in a heated session that her plan was "not a betrayal" of the referendum vote. Opposition lawmakers said that this was a big blow for the prime minister.
That's very clearly a major security failure - but one Timehop does not explicitly explain, writing only that: "We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts".
If you remember the Gentoo Linux incident, which caused us to say that "Linux experts are crap at passwords", you will see that history has repeated itself here.
The company has also notified government authorities, contracted an outside firm and conducted its own investigation to learn more about the incident.
The attacker then logged on intermittently from December to June to conduct reconnaissance, the company says.
Successful cyberattacks often turn out to have been brewing for some time - after all, it's hard to know where to look, and what to look for, if you're not aware that bad things have been happening in the first place. And thanks, also, for not using two-factor authentication, because that made the crack possible. There't not much point in going to the trouble of keeping system logs if you aren't going to use them until it's too late.
Despite this, the company says it has no evidence that "any accounts were accessed without authorization". Revoke access to ay apps you aren't actively using any more.