The attacker also grabbed access tokens and keys, which let Timehop access and display your posts from the likes of Twitter, Instagram and Facebook. While there was a window in which the attacker could have used those tokens to scrape data from social media profiles, Dropbox, Google Photos and iCloud, Timehop deactivated the tokens quickly and said it found no evidence that the attacker accessed anyone's accounts -- but that doesn't mean it didn't happen.
How the breach went down is a little troubling, because a basic security measure was not enabled. Back in December, an unauthorized person used an admin's credentials to log into Timehop's cloud computing servers and create a new admin account. Over the next two days and again in March and June, that person snooped on Timehop's data before launching the attack last Wednesday. Surprisingly, the account the attacker initially used to access the servers was not secured with two-factor authentication (i.e. when you need to authorize a login in a second way, typically with a code or app on your phone). Timehop is now enabling multifactor authentication for all accounts.
Timehop says it discovered and halted the breach around two hours after it started. The company claims that no private messages, financial information or Timehop data (such as streaks) were compromised, and it deletes its copies of your old posts and photos once you've seen them. It doesn't store data like credit card information, location data or users' IP addresses either.
There's an ongoing investigation into the incident, and Timehop has brought in cybersecurity experts to shore up security. The breach follows in the wake of recent attacks on Ticketfly and MyHeritage -- tens of millions of users' data were affected in those incidents too.