Twilio confirms Authy data breach

Last updated: 4 July 2024
Twilio Authy
Image by Pavlo Gonchar via Getty Images.

Attackers “were able” to identify which phone number represents which Authy account, the app’s owner Twilio said.

Twilio’s statement comes a week after attackers announced they had stolen 33 million Authy phone numbers. At the time, however, it was unclear if hackers could link Authy accounts with specific phone numbers.

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” the company said.

ADVERTISEMENT

Twilio has also insisted that it has “seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.”

Authy is a popular two-factor authentication (2FA) service that provides additional security for accessing various sensitive accounts. While Authy user accounts themselves weren’t breached, threat actors could use stolen phone numbers to recover unauthorized accounts.

“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio said.

Personal data leak checker

Check whether your online credentials have been compromised with an up-to-date personal data leak checker tool.

Check if your data has been compromised

The company has also advised users to update their Authy app immediately to the latest Android and iOS versions.

The perpetrators behind the attack, ShinyHunters, have recently gained prominence in the underground community after several high-profile attacks involving the bank Santander and Ticketmaster.

In early 2024, Twilio said its 2FA desktop app would no longer be available for Windows, MacOS, and Linux users and advised customers to switch to the company’s mobile apps and to backup and sync their tokens across devices.

In 2022, Twilio disclosed a data breach, saying phishers tricked some of its employees into providing their credentials via voice phishing (vishing) and then used stolen credentials to access the company’s internal systems.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Jensen Huang’s quantum pivot: when tech leaders admit they’re wrong
Meta AI rolling out in Europe in the coming weeks
“They’re still sulking about the EU switching to USB C:” users react to Apple’s next iPhone plans
Rooting Android invites hackers: up to 3,000 times more vulnerable
Phishing campaign shifts focus to Macs after browsers enhance security on Windows
Links to the “free” TradingView version hide crypto-stealing malware on Reddit
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked