Alarmingly, the company said data thieves could access Timehop's "access tokens" which allow its app to show people old social media posts from services such as Facebook and Instagram. "To reiterate: none of your "memories" - the social media posts & photos that Timehop stores - were accessed".
Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn't let crooks wander in and steal them.
If you previously signed in to Timehop with your phone number, you'll want to call your mobile carrier and set up a strong, unique account passcode to protect your account and prevent your number from getting ported, or otherwise tampered with.
Timehop said that the details were stolen because it didn't use two factor authentication (2FA) on its cloud computing login.
Users were logged out of the app in order to reset all the keys.
But the company has also warned that "there was a short time window during which it was theoretically possible for unauthorized users to access those posts" but has "no evidence that this actually happened".
Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Again, some institutions offer notifications to help with this, which will alert you when your card is used online.
According to its preliminary investigation of the incident, the attacker first accessed Timehop's cloud environment in December - using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a USA holiday.
TimeHop has now invalidated all API tokens and produced one of the most comprehensive security bulletins we've ever seen with a wealth of information including what the implications are under GDPR - or more specifically, that it's not entirely clear.
Users who used their phone number to login are advised by the company to contact their mobile provider in order to make sure their number can not be ported. "That cloud computing account had not been protected by multifactor authentication".
Despite this, the company says it has no evidence that "any accounts were accessed without authorization".
"No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected", the company said.
Timehop says its has notified all its European users of the breach. At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate.