Timehop: the good, the bad and the ugly side of data breach

Last week, Timehop disclosed that they were the victims of a data breach which jeopardised 21 million users’ data. The catastrophic event was discovered at 2:04 US Eastern time (7:04 BST) on July 4th; Independence Day. It wasn’t until 2 hours and 19 minutes later that the breach was shut down, after almost all of their user data was compromised.

The Good

For the uninitiated, Timehop – a start-up founded in 2011 – is an app which seeks to reunite old social media posts, photos and videos with their owners, giving users a hit of nostalgia (or embarrassment and/or horror as the case may be).

Theirs is a good example of how to deal with a data breach like this one. On Sunday 8th of July, after four days of investigation into the attack Timehop published on their website a detailed document which outlined exactly what happened, who was affected and what they’re going to do to prevent attacks like this in the future. Such openness and clarity between a brand and their customers should be applauded.

The Bad

So what happened? In their blog article on the event, Timehop were very careful to stress exactly what content was accessed during this breach. Unfortunately that applied to the names, email addresses other personal data of their 21 million users, which included the 4.7 million phone numbers which some users had also disclosed.

Timehop has also been very clear to promote the fact that they do not store any credit card or financial data or users’ IP or location addresses. They have been careful in their document to stress that none of the content its service routinely lifts from third party social networks was affected, however the keys that allow it to read and show this content were compromised.

The Ugly

How did this breach happen? According to Timehop’s blog, the attacker gained access to their cloud environment in December by using compromised admin credentials and targeting an account that wasn’t protected by multifactor authentication.

This is the crux of the matter, and, though Timehop have stressed that these kinds of accounts are being cleansed and security is being tightened, questions must be asked as to why these security measures weren’t in place all along.

Security breaches like these are no joke. They breed mistrust and can destroy a company no matter how early they are caught. It’s clearer than ever that app security must be taken seriously as a matter of urgency. If you’re just setting out on your app development business opportunity journey, this is a timely reminder that data security and user data protection must be a key consideration as your apps develop and your client base grows.