Timehop has disclosed a security breach that has compromised the personal data (names and email addresses) of 21 million users.
Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.
The service, which plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, on 4th July (🇺🇸), and was able to shut it down two hours later — albeit, not before millions of people’s data had been breached.
Timehop also responded to say:
“There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.”
Ok… But surely you treat cyber security as an essential part of your service, you don’t just begin a program of security upgrades after the fact?
It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident to trigger some encryption enhancements?
More about the incident, and Timehops official response, can be viewed here:
Questionable Privacy Stance
On starting up the Timehop app, you are asked to agree to the following:
We recognize that Timehop might have access to a lot of your data if you have a large number of services connected. Please know that we do not store your data from these services – we grab seven days worth of data to make your Timehop work, and then we delete it. We do not permanently retain any of your social media data. Local photos are never uploaded or stored for any reason, they stay private to you.
Timehop does not sell your data. We won’t send you marketing emails if you don’t want us to. We share anonymized data with our advertising partners, including your gender, age and approximate location. We do not share your name or email with anyone, with two exceptions: When you make a support request, our support software provider (Zendesk) can see your name and email. And we use Amazon AWS for cloud storage of Timehop data. We have signed contracts with both of these providers ensuring your confidentiality.
If you do not wish to use Timehop, you can delete your account at any time in settings using the gear icon in the top left corner of the screen, or emailing us at firstname.lastname@example.org. When you delete your account, all of the data Timehop has that belongs to you will be deleted.
Interestingly, you can’t opt out of sharing your data with third party ad companies. So, making convent an explicit requirement to use the service, although questionable under GDPR, is the name of the game here.
And this hasn’t gone unnoticed. You just need to look at some of the most recent app store reviews on iOS to see others have picked up on this issue:
All in all, timehops communication post-breach was good, but it raised more questions (and possibly highlighted a lack of security awareness) than it answered. Coupled with the privacy issues above, it’s been a bad week for Timehop.
I’ll stick to my Photos app on iOS for my ’on this day’ photo memory fix. 🤓