"These tokens could allow a malicious actor to view without permission some of your social media posts", they write, noting that this largely means access to posts a user posts on their own walls.
The startup, whose service plugs into users' social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later - albeit, not before millions of people's data had been breached.
Timehop users who are anxious the network intrusion and data breach might have impact their "Streak" - aka the number Timehop displays to denote how many consecutive days they have opened the app - are being reassured by the company that "we will ensure all Streaks remain unaffected by this event".
The breach also led to a loss of access tokens that the service uses to access users' posts on other social networks. Names, email addresses and phone numbers have been obtained, and the company urges users to take urgent steps to protect their cellphone numbers ... Following the breach Timehop also reset all its passwords and added a multi factor authentication to all its accounts linked to cloud-based services. However, Timehop claims that the tokens were deauthorized and made invalid within a "short time window" and can not be used to gain access to users' social media profiles.
Timehop revealed that its security was breached and that the data of 21 million users was compromised.
Keys that let Timehop read and show you your social media posts (but not private messages) were also compromised. We have deactivated these keys so they can no longer be used by anyone - so you'll have to re-authenticate to our App.
Despite this, the company says it has no evidence that "any accounts were accessed without authorization".
We have been working with security experts and incident response professionals, local and federal law enforcement officials, and our social media providers to assure that the impact on our users is minimized.
The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on.
The stolen data comprised mostly of user names and email addresses. Doing so may end up leading to a bunch of content being inaccessible for a while whilst a new set of keys establishes itself.
As of now, Timehop claims that there is no evidence of the stolen data being used. "As soon as the incident was recognized we began a program of security upgrades". We immediately began actions to deauthorize compromised access tokens, and as we describe below, are worked with our partners to determine whether any of the keys have been used.
Timehop has also provided a more detailed breakdown of the attack if you want to lean more about what happened.