Since discovering a data breach on July 4, Timehop has now admitted that more user data was compromised. Both on its blog and through an interview with TechCrunch, the popular app that shows users social content from previous years clarified the extent of the breach which has now been removed.
On Wednesday, Timehop explained that dates of birth, the gender of users, and country codes for some users were also exposed. It previously said only names, emails addresses, and some phone numbers weren’t safeguarded. Additionally, although the total number a breached accounts did top 21 million as previously reported, a new breakdown suggests the number of those most affected across the board was much lower.
For example, it says that 18.6 million email addresses were compromised (down from the “up to 21 million” addresses first reported), compared to 15.5 million dates of birth. In total, the company says 3.3 million records were compromised that included names, email addresses, phone numbers and DOBs.
According to Timehop CEO Matt Raoul, COO Rick Webb, and the security consultant hired to oversee the data breach, the company’s original announcement was made before it knew everything. They explain:
With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed.
This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon as it became available.
As previously noted, Timehop admitted to the data breach on Saturday, July 7. It indicated that the breach started on Wednesday, July 4 at 2:04 EDT and lasted for 2 hours and 19 minutes. Timehop said at the time that no media content, financial data, or Timehop data was affected by the breach.
As a precaution, Timehop has required that all users re-authenticate their social accounts with the app to continue to use the service.
No one likes seeing data breaches occur, of course. However, in the case of Timehop, I think it should be commended for its transparency. After admitting to the issue soon after it occurred, the company then clarified the situation as more details emerged.
Not every company hit with a breach would act like this, in my humble opinion.
What say you? Do you think Timehop has been open enough about this situation? Let us know below.