Nostalgia aggregator Timehop has revised its advice about the data breach it reported earlier this week.

The news is bad in two dimensions, the first of which is that the company has found more data was accessed. Updates to its oops! post has now added “dates of birth, gender [and] country codes” to the list of lost information, in addition to names email addresses and phone numbers. After “closer examination of forensics and logs” the company has also revised its estimates of lost records and added an analysis of how many put it on the wrong side of GDPR.

Here’s its full accounting of the leakage.

Type of Personal Data Combination Number of breached records Number of breached GDPR records Name, email, phone, DOB 3.3 million 174,000 Name, email address, phone 3.4 million 181,000 Name, email address, DOB 13.6 million 2.2 million Name, email address, DOB 3.6 million 189,000 Name and email address 18.6 million 2.9 million Name and phone number 3.7 million 198,000 Name and DOB 14.8 million 2.5 million Name total 20.4 million 3.8 million DOB total 15.5 million 2.6 million Email addresses total 18.6 million 2.9 million Gender designation total 18.6 million 2.6 million Phone numbers total 4.9 million 243,000

The second nasty dimension is that Timehop has revealed that the attacker who lifted the data was able to access its systems since December 2017 and logged on during March and April 2018 without detection, in part thanks to the absence of two-factor authentication. Those visits yielded nothing of value, but “In April, 2018, Timehop employees migrated a database with personally identifiable information into the environment. The attacker saw this when they logged in on June 22, 2018. The unauthorized user then logged in again on July 4, 2018, when the database containing PII was stolen.”

The timelines also reveals that while Timehop observed the attacker had changed database passwords and done some CPU-churning and end-user-disrupting work with snapshots, the company didn’t realise it had been attacked for nearly 24 hours.

The steps that followed suggest swift escalation to the C-suite, but by the time incident response processes kicked in the data was gone.

With the company admitting its GDPR exposure, The Register imagines some dark days lie ahead of Timehop given the magnitude of penalties available under that regulation. ®