Timehop has admitted that a data breach that occurred on July 4 now involves more data that originally reported.
When the company first announced the data breach over the weekend, it said that users’ names, email addresses and phone numbers had been compromised. Now, Timehop says other data, like date of birth and gender, was also compromised.
All in all, about 21 million user accounts were impacted by the data breach. But Timehop says not all accounts were compromised equally. For example, all 21 million accounts had their names leaked, but only 3.3 million had emails, phone numbers and dates of birth compromised, too.
It’s worth noting that Timehop is still talking about the same data breach — this isn’t two separate incidents. But there’s still the question of why the team didn’t discover the full scope of stolen data sooner.
In an updated security report sent out to impacted users via email, Timehop explained it succinctly: “Because we messed up.”
“In our enthusiasm to disclose all we knew, we quietly simply made our announcement before we knew everything,” the email continued.
Timehop COO Rick Webb made it clear that user content — like photos, statuses, and other data stored as “memories” — was not stolen in the breach. Webb told TechCrunch that “that stuff is what we cared about, that stuff was protected.”
He added that the company would have to “make a mental note to think about everything else” moving forward. According to TechCrunch, the attacker was seemingly able to breach Timehop’s servers by targeting an account that wasn’t secured with two-factor authentication.
To prevent future breaches, the company said it is taking measures to implement multi-factor authentication to all accounts that did not already have it. It also said it will be further encrypting its databases.
As for the current breach, Timehop said it is notifying individual compromised users as they log back into the platform.
The company also notified local and federal law enforcement entities and is actively working with an unnamed cyber intelligence firm to monitor whether the leaked data has appeared on the Dark Web or elsewhere.
“While none have appeared to date, it is a high likelihood that they will soon appear,” a spokesperson wrote.