The technology company said personal details, including names, e-mail addresses and some phone numbers had been compromised as a result of the breach.
The app is used by many as a way to see old social media posts from years gone by, stored from the likes of Facebook and Instagram. However, the firm said none of the “memories” posts it stores had been accessed.
Timehop confirmed access had been gained to its systems from a compromised account that was not protected by multi-factor authentication, where a user must provide two levels of password before being able to log in. Security experts called the lack of multi-factor authentication on Timehop’s systems a “schoolboy error”.
Dan Pitman, senior solutions architect at Alert Logic, said: “We’re seeing an increase in breach notification, as organisations do their utmost to adhere to the 72-hour imposed timescales.
“Although Timehop were guilty of a ‘schoolboy’ error by not applying multi-factor authentication to their remote access systems, it appears that the impact was limited by them not requiring data from their customers, where not necessary for service, and being able to rescind access via the access keys quickly.”
In its announcement on the breach, which the company said took place on 4 July, Timehop said: “The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service.
“Timehop has never stored your credit card or any financial data, location data or IP addresses.”
Allen Scott, consumer EMEA director at cyber security firm McAfee, urged people to improve their own personal cyber security to better protect themselves in the event of such breaches.