Timehop, a time capsule app that integrates with Facebook and Twitter, on Sunday disclosed a data breach that exposed the personal data of about 21 million users.
The breach, which occurred on July 4, allowed a hacker to access customer names and email addresses. Of the 21 million accounts that were affected, roughly 4.7 million users also had their phone numbers exposed, according to a Timehop blog post.
“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken,” the company said, adding that its investigation into the matter was ongoing.
Timehop allows users to see “memories” of their social media activity, such as posts from previous years on Facebook, Instagram and Twitter. The company said that users’ financial data, private messages or photos on the social media platforms were not exposed in the breach.
Facebook and Twitter did not immediately respond to a request for comment on the report.
However, Timehop said the access tokens the app uses to link to social media posts were compromised, meaning that the hacker could have viewed some posts without permission.
“While we investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens,” Timehop said. “Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall.”
The hacker was able to breach Timehop by accessing its cloud computing environment through an account that was not using “multifactor authentication,” a process used to enhanced cybersecurity,” the company said.
The incident occurred months after Facebook disclosed that a breach had exposed the personal information of as many as 87 million users.