Your social media memories may have been compromised | Tech Security

Chemicloud Web Hosting

Remember Timehop, the “digital nostalgia” app?

No, nor do we, but the company still has a database of about 21,000,000 users who have given the app permission to sift through their digital photos and social media posts – even if they no longer actively use Timehop service.

The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on.

Web Hosting

The app was briefly popular a few years ago, before Facebook built a similar feature, known as On This Day, into its own social network.

The good news is that a third-party app like Timehop can’t work without your permission.

The Timehop app has to be authorised by you, and furnished with cryptographic keys (known in the jargon as access tokens), to get into the various online services from which you want it to scrape photos and posts.

Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn’t let crooks wander in and steal them.

The bad news is that Timehop just announced a data breach.

On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.

Timehop says that the following information was stolen:

  • Access tokens to your social media and online photo services. (All 21,000,000 users affected.)
  • Any or all of your signup name, email address and phone number. (Not all users had all these fields filled in. For example, only 4.7 million users – fewer than a quarter – had handed over their phone numbers.)

Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done.

If you’re a Timehop user and you want the app to keep on working, you’ll have to reconnect it to the various services of your choice.

The company says there is no evidence that any of the stolen data has been used for criminal purposes, though of course any stolen email addresses and phone numbers could be abused in the future, dumped online for free, or sold on to other crooks in due course.

Fortunately, the crooks didn’t get any further:

No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.

As you can imagine, a service that scrapes your digital photos and old posts so it can replay them later will inevitably end up with a big stash of user data, but those databases, so far as we know at the moment, were not accessed by the crooks.