Photo: Shutterstock A few years ago, Timehop posts were all the rage on my social media feeds. The service plumbs the depths of your social media archives to resurface moments you may have enjoyed throughout your history on a social media platform—a photo of you and your friends at graduation, a great joke you made five years ago, a check-in from a vacation you took a few years back. It was a fad that people briefly loved and later forgot about, an increasingly common life cycle for some social media companies. The novelty app has now become a significant security issue for its users. The app recently posted a blog post to its website indicating that it was subject to a data breach on July 4 that exposed 21 million users' personal information, including email addresses and phone numbers for over 4 million users. The breach also exposed users' “access tokens,” a set of keys issued for every user that give Timehop access to users' linked social media accounts in order to pull content from them. The exposure of these tokens might have allowed hackers to view users' social media posts, but not the full content of their accounts (things like messages, friends' posts and the like are not accessible through these tokens). Timehop deauthorized tokens and the company has noted that there is “no evidence” that social media posts were viewed, but Robert Braun, a Los Angeles-based partner at Jeffer Mangels Butler & Mitchel l, thinks that this kind of access is likely part of the reason that Timehop was an attractive target to hackers to begin with. “Social media gives the opportunity for people to create profiles of their targets. They're not just looking for any targets, they're looking for targets in specific locations. This is spearphishing,” Braun said. By scraping personal data from specific users, hackers can develop targeted ways to entice specific users to download things, or potentially make guesses at account passwords. A lot of this information is actually fairly freely posted to social media accounts. “When I look at things that people don't always consider as being sensitive personal information, things like an email address, your phone number, birth date, kids' names, that's how people build a profile,” Braun explained. “It's a classic case of if you combine enough innocuous information, then you have some sensitive information all together,” Braun added. Though the greatest concern for users following a data breach is often financial information, hackers often find that financial information isn't the most valuable asset they can pull. “You're thinking they want credit card information, and that's sort of commoditized. If you go on the dark web, there's this huge supermarket for that kind of information. It's low value, high volume. It has a very short shelf life. Once someone finds out, its very easy to change your credit card number and that kind of information,” Braun said. A platform like Timehop holds a different kind of value because of the number of platforms it connects to, including both public-facing platforms like Facebook and Twitter, and user-restricted private platforms like Instagram or Dropbox. “One of the things we always look for when we analyze a data situation—what the data security profile of a company is—is how many access points there are and how many people can touch the data,” Braun noted. “If I were your average run-of-the-mill hacker, I'd say, 'Wow that's a great target,'” Braun added. The breach is also among the first major incidents governed by the General Data Protection Regulation (GDPR), which went into effect on May 25. Timehop addressed its GDPR requirements in its public breach notification post, writing, “Although the GDPR regulations are vague on a breach of this type (a breach must be 'likely to result in a risk to the rights and freedoms of the individuals'), we are being pro-active [sic] and notifying all EU users and have done so as quickly as possible.” The company spoke to NBC about dealing with GDPR (Timehop chief operating officer Rick Webb called the notification requirements “more complex than buying a house”), but Braun doesn't see much of GDPR's imperatives in the company's response. “It looks like no different than something I would've seen pre-May 25,” Braun said, flagging the GDPR's May effective day. As U.S. companies begin to define their own relationship to GDPR (and to face stricter domestic privacy policies ), Braun expects that breach responses will also change. He also hopes, however, that consumers will change with them. “I believe very strongly that you cannot remove the consumers from the equation. They have to be responsible for their data,” Braun noted. “The whole thing we're seeing, the seismic shift is to say 'your data is your property.' It means you can stop people from using it, but it also means you have to protect it.”