Timehop Security Breach

Information on Timehop’s Recent Security Incident

On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data. We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. While our investigation into this incident (and the possibility of any earlier ones that may have occurred) continues, we are writing to provide our users and partners with all the relevant information as quickly as possible.

First off, we would like to unequivocally apologize to our users for this incident. We commit to continued transparency about this incident, and this document part of our providing all our users and partners with the information they need to understand what happened, what we did, how we did it, and how we are working to ensure it never happens again.

• Some data was breached. These include names, email addresses, dates of birth, gender of users, country and some phone numbers. This affects some 21 million of our users. No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected.

• To reiterate: none of your “memories” – the social media posts & photos that Timehop stores – were accessed.

• We are providing the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records. These are to be considered separately of one another – these are not additive. The total number of breached records was approximately 21 million.

• Type of Personal Data Combination

• # of Breached Records

• # of Breached GDPR Records

• Name, email, phone, DOB

• 3.3 million

• 174,000

• Name, email address, phone

• 3.4 million

• 181,000

• Name, email address, DOB

• 13.6 million

• 2.2 million

• Name, phone number, DOB

• 3.6 million

• 189,000

• Name and email address

• 18.6 million

• 2.9 million

• Name and phone number

• 3.7 million

• 198,000

• Name and DOB

• 14.8 million

• 2.5 million

• Name total

• 20.4 million

• 3.8 million

• DOB total

• 15.5 million

• 2.6 million

• Email addresses total

• 18.6 million

• 2.9 million

• Gender designation total

• 9.2 million

• 2.6 million

• Phone numbers total

• 4.9 million

• 243,000

• Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. These keys were deauthorized by Timehop acting in concert with its social media provider partners by Sunday, July 8, at 3:30 pm Eastern Time. Timehop did not report the breach, which it discovered on July 5, 2018, to its users until after it was certain that the keys had been deauthorized and our social media provider partners had reported that they had not observed any suspicious activity. Timehop did this to ensure that it did not enable attacks by going public, which could encourage the attackers to move quickly to exploit their stolen data.

• These keys can no longer be used by anyone – so users must re-authenticate to our App.

• If you have noticed any content not loading, it is because Timehop deauthorized these proactively.

• We have no evidence that any accounts on our social media partner providers were accessed without authorization.

• We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.

• You may have noticed that you have been logged out of our App. We did this in an abundance of caution, to reset all the keys.

• The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. We don’t store copies of your social media profiles. We separate user information from social media content – and we delete our copies of your “Memories” after you’ve seen them.Timehop has never stored your credit card or any financial data, location data.

• We do not store IP addresses for advertising or tracking purposes. We do log IP addresses for network audit purposes as disclosed in our Terms of Service. The servers that we run, like all web servers, log incoming traffic information, including IP addresses. At the scale at which Timehop operates, the servers generate millions of log lines. While we continue to investigate, at this time we have no indication that any of these were disclosed. Due to the manner in which log queries work with our cloud provider, we will never be able to say with 100% certainty that the intruders did not access IP addresses. Therefore, we are giving notification, now, that your IP address may have been compromised.


Because we have invalidated all API credentials, if you have not already done so, you will be asked to log in again to Timehop and re-authenticate each service you wish to use with Timehop. This will generate a new, secure token. As we mentioned, if you have noticed any content not loading, it is because we deauthorized these tokens proactively. Additionally, user streaks have been frozen and maintained for the time being.

Phone Number Security

If you used a phone number for login, then Timehop would have had your phone number. Please note that phone numbers also include country code. It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.

If AT&T, Verizon, or Sprint is your provider, this is accomplished by adding a PIN to your account. See this article for additional information on how to do this.

If you have T-Mobile as your provider, call 611 from your T-Mobile device or 1-800-937-8997 and ask the customer care representative to assist with limiting portability of your phone number.

For all other providers, please contact your cell carrier and ask them how to limit porting or add security to your account.


At 2:04 PM US Eastern Time on the 4th of July 2018, Timehop observed a network intrusion. The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.

The attack was detected, and two hours and nineteen minutes later – at 4:23 PM that same day – our engineers locked out the attackers (for a more complete technical description of the attack, please see this post). We have now updated our security to alert on the kinds of activities that were conducted.

While we continue to investigate, we have confirmed that this intrusion led to a breach of some data:

• Names, email addresses, dates of birth, gender, country and phone numbers belonging to our customers have been compromised.

• Additionally, “access tokens” provided to Timehop by our social media providers were taken. These tokens could allow a malicious actor to view without permission some of your social media posts. (as you will read below, we have terminated these tokens and they can no longer be used). In situations where our social media partners made use of two-part keys – a user part and a “secret” part – our secret parts of the keys were not compromised.

While we continue to investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens.

Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile. However, it is important that we tell you that there was a short time window during which it was theoretically possible for unauthorized users to access those posts – again, we have no evidence that this actually happened.

All the compromised tokens have been deauthorized, and are no longer valid. In addition to our communications with local and federal law enforcement, we are also in contact with all our social media providers, and will update users as needed, but again: there are no credible reports, and there has been no evidence of, any unauthorized use of these access tokens.


On the 4th of July, when Timehop detected the activity, our engineers moved rapidly to limit the damage created by this breach. On July 4th, before they understood this to be a security incident, the engineers restored service. On July 5th, as you can see on the timetable, the engineers began to treat this as an information security incident.

It is moving aggressively and proactively to notify users, partners, and customers that the breach occurred.Timehop’s first priority has been to defend the social media and account data of its customers.

To that end:

• Timehop has conducted an initial audit, and continues to conduct a thorough audit, of all accounts, credentials, and permissions granted to all authorized users; and deployed enhanced security protocols to secure our systems, remove the intruders and protect your data. This document has been updated to reflect the latest available information. We will continue to update this document until we feel it is complete.

• Timehop has engaged a well-established and experienced cyber security incident response firm to lead the response, understand any exposure or potential exposure of customer data, ensure that no follow-on attacks are in progress, and create a recovery architecture.

• Timehop has engaged with its cloud computing provider to inform it of the incident and the actions taken, and to request follow-on assistance.

• It has engaged a cyber threat intelligence and dark web research firm to gain intelligence about the attack and, working hand-in-hand with the incident response firm, helping to prevent further attacks.

• Timehop is in communication with local and federal enforcement officials, and is providing all requested information to cooperate in all respects with any investigation.

• Proactive and intensive collaboration and cooperation with our partners enabled Timehop to quickly assess the broader situation. We continue to monitor any impact with the help of these critical partners.



An attacker is a user who gains access to our systems without our permission. Another common way to put it is that an attacker is an unauthorized user, or a “hacker”.


A Compromise is an incident in which an unauthorized user breaks the confidentiality, integrity, or availability of a service – quite simply, it means that our security was broken.


During a Compromise (or, “When our security is broken”) any data that the attackers – the unauthorized users – may have been able to look at, copy, or download can be considered to have been exposed.


A Breach is when data is actually taken from (or, “exfiltrated”) from our computing environment. It means that the attacker was able to break through our security and take what they wanted. This is different from a mere intrusion, which just means that someone got in to our system.

Network Intrusion

A Network Intrusion is any time an unauthorized user, or attacker, is able to penetrate our network defenses and gain access to data or resources within our network.


An encryption key is used to encrypt or decrypt, data. A computer uses an encryption key to access data or services in much the same way a human uses a user name and a password. An encryption key is a string of characters that is created to scramble and unscramble data.

Access Token

An access token identifies a specific account and its credentials; it is sort of similar to the way your bank uses a routing number and account number to send money.

Cloud Computing Provider

Cloud computing is a fancy way to describe a data center not within our corporate headquarters, where our servers are stored and operated, and reached via the Internet. The best known cloud computing providers are Amazon Web Services, Microsoft Azure, and Google Cloud, but there are many such providers.


Cyber Reconnaissance is the activity of looking around in a computer network and becoming familiar with what kinds of computers, services, and data are present.

Dark Web

The Dark Web is a set of Internet web sites that anonymize user traffic, and are accessible only using special encryption software. The Dark Web holds legitimate and illegitimate services and Web sites.


What was breached and when?

A database containing usernames, dates of birth, genders, country, phone numbers, email addresses, and social media access tokens was breached on July 4, 2018. Social media access tokens were taken for all accounts. Not all accounts had names, phone numbers, or email addresses. Most accounts contained gender, country and date of birth information.

How do we know there won’t be more PII?

People have asked us whether more personally identifiable information will come out, and if we say no, how they can know. Rather than simply assure you, we are taking the transparent step of simply posting publicly the entirety of the schema of the table that contained personally identifiable information, so you can see for yourself what was taken. Note, as we have stated, an entire database was taken, and that database included access keys to social media sites. Those keys were in a different table of the database, which contained no PII, and which we are therefore not disclosing.

Breached Database Column

Plain English Description What this is:


An automatically incrementing ID number


The Facebook user ID associated with a user; this has been deprecated in this table, and is public information

created_at timestamp

The time at which the record was created

updated_at timestamp

The time at which the record was last updated


An authorization token that kept the user’s session active. deprecated and no longer used


The email address of the user


The user’s first name as listed in social media sites (not necessarily the person’s legal first name)


The user’s last name as listed in social media sites (not necessarily the person’s legal last name)


Whether the user’s subscribed to legacy Timehop email. Deprecated and no longer used. Historical artifact from when Timehop was a daily email


Whether the person has privileges to conduct some testing on local, native mobile applications


The time zone identified to us by the user’s device


Whether the user has completed the steps to sign up for the Timehop service


Whether the user is registered as a Beta tester to help test early releases of the application.


A Globally Unique IDentifier Deprecated (no longer used)


The email address of the user converted to all lower case.


The user’s phone number as provided by user


The user’s username


The user’s username converted to all lower case


Whether the user has downloaded the Timehop iPhone Application

downloaded_iphone_app_at timestamp

When the user downloaded the Timehop iPhone Application


Legacy auth token column. Deprecated and no longer used.

downloaded_windows_app_at timestamp

Whether the user has downloaded the discontinued Timehop Windows Application

downloaded_osx_app_at timestamp

When the user downloaded the discontinued Timehop Mac OSX Application


The latest version of the Timehop application registered by the user


The User’s birthday as provided by social media (and possibly as corrected by the user) in UNIX format

last_opened_app_at timestamp

The date and time the user last opened the Timehop application

bounced_at timestamp

Timestamp of the last time a user’s email bounced. Deprecated and no longer used. Historical artifact from days when Timehop was a daily email.

downloaded_android_app_at timestamp

When the user downloaded the Timehop Android Application


The latest version of the Timehop Android application registered by the user

last_opened_android_app_at timestamp

The date and time the user last opened the Timehop application


Deprecated product feature, no longer used


The Country Name listed by the User in social media profiles


The Country Code listed in the device used by the user


The language setting listed in the device used by the user


The user’s gender as provided to social media networks.

How sensitive is the information?

The names, genders, country, and dates of birth of some of our customers were breached. We note that in many cases these are not the customer’s full legal name but rather the social media name as listed on their account. However, combined with other, outside data, this may identify an individual. Dates of birth further add to this ability. Some of our customer’s email addresses were lost, and a smaller number of our customers’ phone numbers. No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.

How many users were affected?

Many records contained more than one of the following:

• There were 20.4 million names in total (3.8 million in the GDPR zone).

• There were 15.5 million dates-of-birth in total (2.6 million in the GDPR zone).

• There were 18.6 million Email addresses total (2.9 million in the GDPR zone).

• There were 9.2 million gender designations total (2.6 million in the GDPR zone).

• There were 4.9 million phone numbers total (243,000 in the GDPR zone).

Will this affect my Streak?

No! By a wide margin, this has been the most commonly asked question, and the answer is that we will ensure all Streaks remain unaffected by this event.

Do you know if the data has been used?

All the access keys have been deauthorized and cannot be used, and we have no evidence that any were used in the short period during which they were exposed. On July 5th, Timehop retained the services of a well-established cyber threat intelligence company that has been seeking evidence of use of the email addresses, phone numbers, and names of users, and while none have appeared to date, it is a high likelihood that they soon will appear in forums and be included in lists that circulate on the Internet and the Dark Web.

What actions have you taken to ensure that this is the extent of the breach and won’t happen again?

There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades. We immediately conducted a user audit and permissions inventory; change all passwords and keys; adding multifactor authentication to all accounts in all cloud-based services (not just in our Cloud Computing Provider); revoke inappropriate permissions; increase alarming and monitoring; and various other technical tasks related to authentication and access management and more pervasive encryption throughout our environment. We immediately began actions to deauthorize compromised access tokens, and as we describe below, working with our partners to determine whether any of the keys had been used. In future we will encrypt all access tokens and API keys, emails, and phone numbers in our database.

Has law enforcement been informed?

Yes. Timehop is in communication with local and federal law enforcement officials and will cooperate with all investigations on this matter.

What are the implications in Europe under the new GDPR privacy law?

The GDPR became effective very recently and there are not many guidelines on how key concepts such as “risks to the rights and freedoms of the individuals” should be interpreted, but we are being transparent and pro-active and notifying all EU users on a voluntary basis and have done so as quickly as possible. We are also in contact with EU authorities. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.

©Timehop — 401 Broadway, New York, NY 10013

If you’d like to unsubscribe and stop receiving these emails click here



I had the honor and privilege of attending a viewing of the documentary film “Voiceless” last night at the Figge Art Museum in Davenport, Iowa.

The film focuses on five men who have experienced sexual abuse in their life time. Each man experienced the sexual assault in very different ways. While each experience was different, there were several things that seemed consistent through each story—

Each man talked about how the sexual assault impacted every single facet of his life. How they date, how they experience intimacy, how they eat and where, how they relate to family, even how they now define family. Each guy talked about how they were, as men, made to feel it was his own fault – he said yes; then no; how he smiled must have meant yes; the fact that he just laid there, terrified and unable to speak must have meant he was enjoying it; the tears and terror on his face did not scream no or stop.

There are certainly hundreds of thousands of stories similar to yet each unique from the five stories told last night.

Voiceless produced and created by Vanessa McNeal is a film everyone NEEDS to see. It will change the way you see and understand the sexual abuse of men in our society.

HUGE thank you to Vanessa McNeal for her amazing work and dedication to this subject! Madeline at The Project of the Quad Cities definitely deserves kudos for everything she and her Team at TOQC did in getting this film viewing set up.

The entire QC should be proud having folks like Vanessa and organizations like TPQC that are not afraid to stand up and talk about tough issues!

Vanessa’s website: http://www.vanessamcneal.com (you can purchase the films for $10 on her site!!)

The Project of the Quad Cities Website: http://www.tpqc.org (provides HIV testing, counseling, case management, client services, outreach, and education)

Time. . .

They say that time stands still for no one.

However, there are things the time bandit cannot steal away,

Cannot let you forget,

Holding them at bay

A far off memory-just out of reach.

A touch



And it all comes back,

Not a heartbeat missed.

The still of the night

After the giggles

A single sound from the darkness.

Finally back home

Safe as a wolf pup with mama.

So time be not proud of your passage

Revel in knowing,

That in fact

You can stand still.

Post Traumatic Stress Syndrome

For millions of people around the world, the most traumatic events of their lives have never ended. PTSD is a lingering reminder that turns every day into a potential minefield, with flashbacks and triggers

potentially hidden around every corner.

Post Traumatic Stress Disorder Awareness Month is dedicated to raising awareness about this life-long struggle and the people it affects, and how each of us can help make their lives just a little easier.

History of Post Traumatic Stress Disorder Awareness Month

Post Traumatic Stress Disorder is nothing new, and has been recognized by psychology practitioners since at least 1952, where it appeared in the DSM-I as a “Gross Stress Reaction”, defined as a “normal personality using established patterns of reaction to deal with overwhelming fear”. Even in these early days, it was recognized that it was a condition that existed within those who had experienced wartime as well as domestic traumas. It was with the establishment of the DSM-III that it got its current name, in part due to experiences of soldiers during the Vietnam War.

The research involved in this further definition shed some light on the experiences and diagnosis regarding problems facing soldiers and other patients who experienced trauma in former years, including railway spine, battle fatigue, traumatic war neurosis, etc. Sadly there is no way to cure PTSD with present techniques, though there is a growing body of techniques to help manage these conditions, including psychotherapy, exercise therapy, service animals, and more. Post Traumatic Stress Disorder Awareness Month works to make the public more aware of this disorder, and to promote research to find further treatments, understand its causes, and determine what sort of preventative measures can be taken to keep it from developing in those who have experienced trauma.

How To Celebrate Post Traumatic Stress Disorder Awareness Month

The best way to celebrate is to take the time to understand the experiences and day to day realities of those around you who may be suffering from PTSD. Another important step is to never use the term PTSD lightly, like most psychological disorders there are people who will claim to experience it (with OCD being a common example) to simply describe personality quirks. This undermines the experiences of those who actually have these issues and denigrates the seriousness of the condition which can lead to misunderstandings about its cause and effects. Volunteering with local groups that aid veterans of wartime situations will also make a huge difference to those who deal with it every day, as support is always lacking.

Nationwide protests against Trump’s family separation policy planned for June 30 – Vox

Activists are organizing a nationwide effort on June 30 to protest the Trump administration’s policy of separating families at the US-Mexico border.

— Read on www.vox.com/platform/amp/2018/6/18/17477376/family-separation-trump-administration-protests-june-30-families-belong-together