Timehop is admitting that additional personal information was compromised in a data breach on July 4.
The company first acknowledged the breach on Sunday, saying that users’ names, email addresses and phone numbers had been compromised. Today it said it that additional information, including date of birth and gender, was also taken.
To understand what happened, and what Timehop is doing to fix things, I spoke to CEO Matt Raoul, COO Rick Webb and the security consultant that the company hired to manage its response. (The security consultant agreed to be interviewed on-the-record on the condition that they not be named.)
To be clear, Timehop isn’t saying that there was a separate breach of its data. Instead, the team has discovered that more data was taken in the already-announced incident.
Why didn’t they figure that out sooner? In an updated version of its report (which was also emailed to customers), the company put it simply: “Because we messed up.” It goes on:
In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything. With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering