Social app Timehop has confirmed it suffered a data breach affecting 21 million of its users.
The technology company said personal details including names, email addresses and some phone numbers have been compromised as a result of the breach.
The app is used by many as a way to see old social media posts from years gone by, stored from the likes of Facebook and Instagram – however, the firm said none of these “memories” posts it stores had been accessed.
Timehop confirmed access had been gained to its systems from a compromised account which was not protected by what’s known as multi-factor authentication, where a user must provide two levels of password – sometimes an access code sent to another device linked to that account – before being able to log in.
Security experts called the lack of multifactor authentication on Timehop’s systems a “schoolboy error”.
Dan Pitman, senior solutions architect at Alert Logic said: “We’re seeing an increase in breach notification, as organisations do their utmost to adhere to the 72 hour imposed timescales.
“Although Timehop were guilty of a ‘schoolboy’ error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly.”
In its announcement on the breach, which the company said took place on July 4, Timehop said: “The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service.
“Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content – and we delete our copies of your ‘Memories’ after you’ve seen them.”
Timehop said it locked out the hackers just over two hours after they had gained access, and revealed some so-called “access tokens” which enable the app to link with various social media profiles had also been compromised. In response, the company said it has terminated these tokens.
It also confirmed it has now introduced multi-factor authentication.
Allen Scott, consumer EMEA director at cyber security firm McAfee urged people to improve their own personal cyber security to better protect them in the event of such breaches.
“We cannot rely on single-factor authentication for our passwords, to protect our digital lives,” he said.
“Frustratingly, I’m sure many Timehop users had the same password linked to their Instagram, Facebook and Twitter accounts. In fact, recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to.
“If you use the same password for Timehop and a number of other apps and accounts you need to change it NOW. A cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information across a number of accounts.
“We know it’s hard to remember all your passwords but using a password generator and manager can help solve this problem and ensure you don’t become an easy target for these sophisticated cyber criminals.”