Timehop, a service that surfaces a user’s past social media content, has revealed a security breach that hit the company on July 4, and resulted in a database of 21 million users hit.

As a result, the company has voided all social media authorisation tokens it held, and is alerting its users.

Around 4.7 million phone numbers were breached, alongside its usernames and email addresses. Timehop said no financial data was affected, nor social media content, and there has been no evidence of any improper account access.

“A small number of records included a name, a phone number, and an email address; a somewhat larger number included a name and phone number; a larger number included a name and an email address,” the company said. “No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.”

The intrusion began just after 2pm EST on July 4, and ended two hours and 19 minutes later when the attackers were locked out, Timehop said.

“The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication,” it said.

In another blog post, the company said that on December 19, admin credentials were used an by unauthorised user to log in into its cloud environment, and began reconnaissance activities over the next two days, and logged in twice more leading up to July 4.

“Once we recognised that there had…