At least 21 million users have been affected by a data breach that occurred in the span of two hours and nineteen minutes on July 4.

Timehop, a service that aggregates social media posts, reported on Sunday that an access credential to its cloud computing environment was compromised. The cyberattacker was able to easily access the account because it was not protected by multi-factor authentication–a strongly recommended cybersecurity best practice.

During the two-plus hours of the intrusion, the hacker was able to steal the usernames and email addresses of 21 million users; 4.7 million of those records also included phone numbers. Compounding the problem, the hacker also was able to take “access tokens” given to Timehop by the various social media providers. These tokens, which Timehop uses to read and serve up users’ social media posts, are similar to bank account routing and account numbers in terms of identifying specific accounts. As Gizmodo reports, “Theoretically, those tokens could be used to view (and scrape) social media posts that aren’t made public, but Timehop claims that it deactivated the tokens quickly and there’s no evidence that anyone’s accounts were accessed.”

While its investigation is ongoing, Timehop has learned that an authorized user’s credentials were used by an impostor on December 19 to log into Timehop’s cloud provider account. From there, the hacker created a new admin account and began sniffing around, reportedly doing reconnaissance on four occasions as lead-up to last week’s incident.

When the hacker launched the cyberattack on July 4, Timehop was able to contain the incident fairly quickly. A statement on the company website says, “At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 PM, Timehop engineers had begun to implement security measures to restore services and lock down the environment.”

To Timehop’s credit, it has enacted a six-point incident response plan.

  1. Conducted an initial audit, and is auditing all accounts, credentials, and permissions granted to authorized users; and deployed enhanced security protocols to secure systems, remove intruders and protect data.
  2. Engaged a cybersecurity firm to analyze exposure or potential exposure of customer data; ensure that no follow-on attacks are in progress; and to map out a recovery architecture.
  3. Notified its cloud computing provider of the incident and the actions taken, and to request follow-on assistance.
  4. Hired a cyber threat intelligence and dark web research firm to learn about the attack and work to prevent further attacks.
  5. Established communication with local and federal enforcement to conduct an investigation.
  6. Collaborated with partners to quickly assess the situation and monitor impact.

Get the full story at Gizmodo.