On 4 July 2018 (US Independence Day), an attacker used a compromised cloud environment credential — which lacked multi-factor authentication — to access Timehop’s production cloud environment. Timehop is an app that shows users their ‘memories’ from social media posts from the same date in previous years. The attacker accessed Timehop’s user database and social network API access tokens. The breach affected approximately 21 million users. Exposed data included names, email addresses, phone numbers (for 4.7 million users), dates of birth, and genders. More critically, the attacker also obtained social network OAuth tokens that allowed access to users’ social media data — including access tokens for Facebook (of approximately 19 million users), Instagram (approximately 16 million users), and Twitter. Timehop immediately deactivated all compromised social network tokens, requiring users to re-authenticate all connected social accounts. The breach disclosed on 8 July 2018 was notable for the exposure of social OAuth tokens — which are effectively keys to users’ social media archives and could be used to read private messages, post content, or access historical social media data. Timehop had not implemented MFA on its cloud environment administrator account, which was identified as the root cause. The company subsequently implemented MFA on all cloud environment access.