Intruders who infiltrated Timehop's cloud infrastructure came in through an admin account not protected with two-factor authentication and exfiltrated access keys removed more data than originally believed.
The additional user data stolen included dates of birth, gender and country, the company's COO Rick Webb told SC Media.
"It's Disclosure 101 to get it all out the first time," said Webb, adding it was a "horrible" realization that Timehop would have to make a second disclosure once it was discovered the hackers had grabbed more data than the company initially believed. "It was a boneheaded mistake," Webb said of missing a database that had been accessed during the breach in the company's rush to comply with notification best practices.
"Our investigation has continued as promised," the company said in an updated release, which included a timeline of the attack and a table detailing the information and "more granular information about the types of personally identifiable information that were breached, and a narrative to contextualise these disclosures."
Webb said Timehop had updated its disclosure to European regulatory authorities – the table showed that 174,000 GDPR records were breached – and was preparing a notification to all its European users. "We've been meticulously thorough" in complying with GDPR, said Webb, explaining that Timehop likely had set a high bar with documentation reporting the incident. "I feel sorry for anyone that goes after us."