Nearly five million of the records stolen (4.7 million) had phone numbers in the data. As bad as that sounds, it gets worse. Because of what Timehop is and how it works, it’s got hooks into all of the social media accounts of every member who uses the app.
Timehop uses tokens to access social media information. Tokens that are now in the hands of the hackers, who could use them to view and/or “scrape” social media content (including private posts) uploaded by every one of the 21 million impacted users. In short, even if you keep tight control over who can see your social media content, if you’re one of the impacted users, the cat is officially out of the bag.
The company says that they deactivated all tokens shortly after the incident was detected, but there was still a small window of time in which they could have been used.
As is the norm in cases like these, Timehop has issued an apology, is in the process of informing all affected users, and is working with law enforcement and an outside agency to assist with the forensic investigation. This incident, however, underscores how easily it is to lose control of one’s data.
It’s not enough to simply exercise caution and be mindful of security on the social media channels you frequent. You’ve also got to be mindful of what third parties you allow to access those channels, because any one of them could provide an inroad for a hacker.