Authy Users Beware: Data Breach Exposes Phone Numbers! 

A data hack has put millions of users of Authy, a popular two-factor authentication tool, at risk. 

The breach, disclosed by Authy's creator Twilio on July 1st, 2024, did not compromise user accounts; instead, hackers could exploit a weakness to get phone numbers associated with Authy accounts.

This information might now be used in phishing and smishing attacks, in which attackers try to fool consumers into disclosing personal information by text message.

Authy Responds to the Data Breach Concerns

The organization stated that it took efforts to secure the endpoint and no longer accepts unauthenticated queries.

The news comes only days after a Web identity posted that a database containing 33 million phone numbers was supposedly obtained from Authy accounts.

Twilio has owned Authy since 2015, a popular two-factor authentication (2FA) tool that provides an extra layer of account protection.

They stated in a security advisory dated July 1, 2024, that:

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data."

#Twilio has confirmed that an unsecured API endpoint allowed #ShinyHunters threat actors to verify and leak the phone numbers of 33 million of Authy MFA users:#APISecurity
?https://t.co/JFYH3c0COi pic.twitter.com/izQa025MZB

— Sam Stepanyan (@securestep9) July 4, 2024

How Much Data Has Been Compromised & Who Caused the Breach?

In late June, a threat actor named ShinyHunters published a CSV text file containing what they claim to be 33 million phone numbers enrolled with the Authy service.

The CSV file has 33,420,546 rows, each with an account ID, phone number, "over_the_top" column, account status, and device count.

New details from Twilio about their social engineering attack. Attackers got access via SMS and phone call based attacks to steal credentials + MFA codes, then internal & customer data.
?Twilio just implemented FIDO security keys for all in response!?https://t.co/3ymRqwHpny pic.twitter.com/o2faRcZupZ

— Rachel Tobac (@RachelTobac) October 28, 2022

Twilio has now verified that the threat actors compiled the list of phone numbers through an unauthenticated API service. 

Twilio gave a statement that:

"Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests."

How Will They Cope Up with the Data Breaches from Now on?

Twilio stated that in 2022 the breaches occurred between June and August, allowing threat actors to breach its infrastructure and get access to Authy client information.

But now Authy has protected its API after a data scrape revealed phone numbers. Twilio has announced a new security update and advises that customers upgrade to the Authy Android (v25.1.0) and iOS App (v26.1.0), both of which include security updates. 

Users should update the app, turn on greater mobile security, and be aware of phishing attacks.

Twilio has also started sending data breach alerts after a third-party vendor's unencrypted AWS S3 bucket revealed SMS-related data transferred through the company.

Authy Data Leak: Stay Vigilant for the Future!

Considering the revealed phone numbers, Authy users are encouraged to update the app and exercise caution when receiving unwanted messages. 

While Twilio guarantees no more breaches and emphasizes the security of essential systems, vigilance remains critical in preventing phishing assaults.

And if you wish to keep your online information secure and prevent financial fraud attacks, consider using PurePrivacy.