It turns out that more than just names, usernames, email addresses and phone numbers were pilfered in the recent Timehop breach. You can add "birthdate" and "gender" to the list of data stolen in last week's hack, too. The company apologized for the piecemeal way it has delivered the information to customers, and has published a timeline of the events, which started last December and concluded July 5th.
Last week the company said that 21 million accounts were affected in total. It turns out that number wasn't entirely accurate because Timehop apparently didn't have the same amount of information from everyone across the board. New figures from the company peg the breach at 18.6 million email addresses affected, but only 15.5 million dates of birth. A "very, very small percentage" of cases with dates of birth, email addresses, full names and phone numbers -- which, when combined, could lead to identity theft -- were stolen.
Timehop said that social media sites it connects to haven't noticed any suspicious activity and that it has begun requiring users to reauthorize their linked accounts. That's in addition to putting two-factor authentication in place for all accounts. The company is also in the process of encrypting its databases and has disclosed the IP address of the attacker to law enforcement.
What the attacker didn't make away with were any "memories," meaning, Timehop's bread and butter. Users' yellowing social media posts that Timehop resurfaces were stored in a separate database than the one with personally identifying information. "That stuff is what we cared about, that stuff was protected," COO Rick Webb told Engadget sister publication TechCrunch. "We have to make a mental note to think about everything else."
For a deeper look at the situation and how the company is responding, make sure to check out TechCrunch's interview linked in this post.