Do you use Timehop?  If you’re not sure what that is, it’s a popular, clever little app that reminds social media users about posts they’ve made in the past. It can be quite handy, especially if you’re active on numerous social media accounts.

Unfortunately, the bloom is off the rose for Timehop.  Recently, the company announced that it had suffered a breach on the Fourth of July, which gave the hackers virtually unfettered access to the company’s cloud servers for more than two hours.  During that time, the hackers were able to make off with the names, email addresses and other account details of more than twenty-one million users.

Nearly five million of the records stolen (4.7 million) had phone numbers in the data.  As bad as that sounds, it gets worse.  Because of what Timehop is and how it works, it’s got hooks into all of the social media accounts of every member who uses the app.

Timehop uses tokens to access social media information.  Tokens that are now in the hands of the hackers, who could use them to view and/or “scrape” social media content (including private posts) uploaded by every one of the 21 million impacted users.  In short, even if you keep tight control over who can see your social media content, if you’re one of the impacted users, the cat is officially out of the bag.

The company says that they deactivated all tokens shortly after the incident was detected, but there was still a small window of time in which they could have been used.

As is the norm in cases like these, Timehop has issued an apology, is in the process of informing all affected users, and is working with law enforcement and an outside agency to assist with the forensic investigation.  This incident, however, underscores how easily it is to lose control of one’s data.

It’s not enough to simply exercise caution and be mindful of security on the social media channels you frequent.  You’ve also got to be mindful of what third parties you allow to access those channels, because any one of them could provide an inroad for a hacker.