Timehop, an app that allows users to find and claim old photos and posts on social media, has reported a data breach of its cloud computing environment on July 4, 2018, which compromised 20.4 million accounts, 3.8 million of which are in the GDPR zone.

According to an updated posting on its website yesterday, the information that was compromised includes users’ names, addresses, dates of birth, gender, country codes and telephone numbers. Further, access tokens provided to Timehop by its social media providers were also taken, which would allow the intruder to view social media posts without users’ permission.

Therefore, Timehop terminated the tokens and they can no longer be used. Timehop provided a very transparent list of information that was contained in the database so customers can confirm that no financial or Social Security numbers were involved.

Timehop should be commended for its transparency with regard to the amount of information it provided over the past week. It states on its website posting that it is trying to provide as much information as possible during the investigation (which is really difficult), but others have reported that they also were trying to comply with the new 72-hour reporting requirement for GDPR. This is a clear illustration of the difficulty that companies will face with an onerous GDPR notification requirement when all of the facts of the incident aren’t known. It adds confusion to the notification process to consumers when the facts change.

At any rate, if you have downloaded and use Timehop, take a look at Timehop’s website posting about the incident (https://www.timehop.com/security). Following the intrusion, Timehop implemented two-factor authentication and will require users to log in and reauthenticate each service to continue using the app. In addition, user streaks have been frozen and maintained. Since Timehop had users’ telephone numbers, it is also recommending that users “take additional security precautions with your cellular provider to ensure that your number cannot be ported” by adding a PIN to your account.