Social memories app Timehop has revealed more details of the data breach that affected 21 million users, which it has now confirmed also included the dates of birth and gender of some users.
The figures revealed that 2.2 million people in Europe had their name, email address and date of birth accessed in the breach, while 181,000 Europeans had their name, email and phone number information compromised.
Timehop initially said it believed only names, phone numbers and email addresses of around 21 million users had been affected.
“These new types of data are not part of a second breach. The incident we announced is the only incident we have suffered to date. The new information is the result of closer examination of forensics and logs,” the company said.
“Earlier reports of ‘up to 21 million emails’ were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records. These are to be considered separately of one another – these are not additive. The total number of breached records was approximately 21 million.”
The company has apologised for the incident.
Timehop is used by many as a way to see old social media posts from years gone by, stored from the likes of Facebook and Instagram – however, the firm said none of these “memories” posts it stores had been accessed.
Earlier this week the app confirmed access had been gained to its systems from a compromised account which was not protected by what is known as multi-factor authentication, where a user must provide two levels of password – sometimes an access code sent to another device linked to that account – before being able to log in.
Security labelled the lack of multi-factor authentication a “schoolboy error”, and Timehop has confirmed it is introducing it to its systems.
“We are deeply sorry for this secondary disclosure,” the company said of its update.
“In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything.
“We recognise this second disclosure creates the sensation that we are releasing information slowly, in a ‘drip drip’ fashion, to mitigate the potential fallout. We can only assure you that this is not the case. If anything, we are deeply embarrassed to have to make this secondary disclosure.”
