Timehop says it discovered and halted the breach around two hours after it started.
No financial data, private messages, direct messages, user photos, user social media content, social security numbers, or other private information was breached.
Timehop users who are anxious the network intrusion and data breach might have impact their "Streak" - aka the number Timehop displays to denote how many consecutive days they have opened the app - are being reassured by the company that "we will ensure all Streaks remain unaffected by this event".
Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done.
The breach affected 21 million users, including their names, some email addresses, and approximately 4.7 million phone numbers attached to their accounts. Back in December, an unauthorized person used an admin's credentials to log into Timehop's cloud computing servers and create a new admin account.
Nonetheless, the hacker stole the access keys for all 21 million users.
Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn't let crooks wander in and steal them.
Despite this, the company says it has no evidence that "any accounts were accessed without authorization".
The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure. It has automatically logged everyone out in order to reset security keys.
"The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service", the company wrote in part.
Timehop says that it is investigating what happened and conducting a complete audit.
"We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts", the company said, noting that this applied to all accounts, not just in those in their cloud environment.
Timehop's already completed an initial audit of the situation and is now in the process of a more thorough one to analyze all of its security measures.
For now, by way of explanation, it writes: "There is no such thing as ideal when it comes to cyber security but we are committed to protecting user data". We immediately began actions to deauthorize compromised access tokens, and as we describe below, are worked with our partners to determine whether any of the keys have been used.
Timehop downplayed the impact of the attack.