Timehop, an app that resurfaces people's old social media posts, has admitted that it was hit by a data breach that affected 21 million users.
Alarmingly, the company said data thieves could access Timehop's "access tokens" which allow its app to show people old social media posts from services such as Facebook and Instagram.
"These tokens could allow a malicious actor to view without permission some of your social media posts," the company said.
Timehop has terminated the tokens and said there's no evidence that anyone accessed social media data. But the company also said the breach had started in December, and that it only became aware of the problem in July.
"[It] is important that we tell you that there was a short time window during which it was theoretically possible for unauthorised users to access those posts… we have no evidence that this actually happened," the company said.
The company said names, email addresses, and some phone numbers for the 21 million users were lifted.
Some 4.7 million user accounts had a phone number attached. However, no financial data or private messages were affected.
Timehop also admitted that the breach took place because an "unauthorised user" was able to access its cloud computing account, which wasn't protected by strong two-factor authentication.
"The breach occurred because an access credential to our cloud computing environment was compromised," the company said.
"That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts."
The company is advising those whose phone number was lifted to take "additional precautions" with their mobile providers.
/Beyond is ScienceAlert's new section covering the wider world of gadgets, games, and digital culture.
This article was originally published by Business Insider.
More from Business Insider: