Timehop has disclosed a security breach that has compromised the personal data (names and email addresses) of 21 million users.

Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The service, which plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, on 4th July (🇺🇸), and was able to shut it down two hours later — albeit, not before millions of people’s data had been breached.

Timehop also responded to say:

“There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.”

Ok… But surely you treat cyber security as an essential part of your service, you don’t just begin a program of security upgrades after the fact?

It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident to trigger some encryption enhancements?

More about the incident, and Timehops official response, can be viewed here:


Questionable Privacy Stance

On starting up the Timehop app, you are asked to agree to the following:

Your privacy is important to us. To that end, we would like you to review our Privacy Policy and Terms & Conditions.

We recognize that Timehop might have access to a lot of your data if you have a large number of services connected. Please know that we do not store your data from these services – we grab seven days worth of data to make your Timehop work, and then we delete it. We do not permanently retain any of your social media data. Local photos are never uploaded or stored for any reason, they stay private to you.

Timehop does not sell your data. We won’t send you marketing emails if you don’t want us to. We share anonymized data with our advertising partners, including your gender, age and approximate location. We do not share your name or email with anyone, with two exceptions: When you make a support request, our support software provider (Zendesk) can see your name and email. And we use Amazon AWS for cloud storage of Timehop data. We have signed contracts with both of these providers ensuring your confidentiality.

If you do not wish to use Timehop, you can delete your account at any time in settings using the gear icon in the top left corner of the screen, or emailing us at privacy@timehop.com. When you delete your account, all of the data Timehop has that belongs to you will be deleted.


Interestingly, you can’t opt out of sharing your data with third party ad companies. So, making convent an explicit requirement to use the service, although questionable under GDPR, is the name of the game here.

And this hasn’t gone unnoticed. You just need to look at some of the most recent app store reviews on iOS to see others have picked up on this issue:


All in all, timehops communication post-breach was good, but it raised more questions (and possibly highlighted a lack of security awareness) than it answered. Coupled with the privacy issues above, it’s been a bad week for Timehop.

I’ll stick to my Photos app on iOS for my ’on this day’ photo memory fix. 🤓

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.