Timehop, an app which resurfaces memories from your past social media posts, says that it has been hacked. Names, email addresses and phone numbers have been obtained, and the company urges users to take urgent steps to protect their cellphone numbers …
Timehop revealed the hack in a blog post.
On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible […]
Some data was breached. These include names, email addresses, and some phone numbers. This affects some 21 million of our users.
The good news is that it appears none of your social media posts or photos were obtained – the company deletes this data after you have viewed it. Timehops also says there is no evidence that the hackers gained access to any accounts. It has automatically logged everyone out in order to reset security keys.
However, there are potential risks from cell numbers being disclosed. In past attacks, hackers have ported numbers to their own account in order to obtain 2FA messages which can be used to access other accounts, including online banking services. Phone numbers have been compromised for anyone who used their cell number, rather than a username, to login.
For this reason, Timehop urges those users to take steps to ensure that their cell number cannot be ported without their knowledge.
If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.
If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.
For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.
Astonishingly, the attack was possible because Timehop didn’t itself use 2FA for its cloud computing login! It has belatedly corrected that.
Facebook now replicates Timehop functionality with its own Memories feature, making the app obsolete for many.