NEW YORK–A company that helps people to “resurface old social media posts” is now dealing with the surfacing of an issue itself—a data breach involving as many as 21 million people’s information.
While no financial information was involved, enough personal data was compromised that the hackers may be able to commit other crimes, such as opening false accounts in the names of the victims.
Timehop said it has been racing to provide updates to its users and government authorities alike after discovering the breach. It is believed the company is the first in the U.S. to have the dubious honor of suffering a data breach after new data privacy regulations in Europe, known as General Data Protection Regulation, went into effect.
Since Timehop handles data from some European users, it was required to report any data breach to E.U. authorities within 72 hours or risk being fined as much as 4% of its annual revenue.
Independence Day Break-In
Timehop has acknowledged that hackers broke into its systems on July 4 and stole user data that includes names, email addresses, phone numbers and dates of birth (if the user had given Timehop permission to access their Facebook account).
The company said the breach occurred on a third-party server and knocked the app offline for an hour. One vulnerability involved a basic security measure: Timehop’s password for its data service did not use two-factor authentication.
Of Timehop’s 21 million users, Timehop reported that 3.3 million had records showing that their name, email, phone number and date of birth had been stolen in the hack.
The company reported that to date it has not found any evidence that the stolen credentials had been sold or dumped online.