The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general.
Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but were hashed and salted, making it difficult for anyone to reveal the original password.
The New York City-based company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.”
Payment data is not thought to be affected as it’s stored in a separate system, the company said.
Animoto CEO Brad Jefferson told TechCrunch that the number of users affected isn’t known but all 22 million users will be notified.
Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users, exposing their names, email addresses, gender and dates of birth. Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services.
Animoto didn’t say how its breach occurred but pointed to “suspicious activity” on its systems. The company also said it reset employee passwords and reduced employees’ access to critical systems.