Twilio confirms Authy data breach

Attackers “were able” to identify which phone number represents which Authy account, the app’s owner Twilio said.

Twilio’s statement comes a week after attackers announced they had stolen 33 million Authy phone numbers. At the time, however, it was unclear if hackers could link Authy accounts with specific phone numbers.

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” the company said.

Twilio has also insisted that it has “seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.”

Authy is a popular two-factor authentication (2FA) service that provides additional security for accessing various sensitive accounts. While Authy user accounts themselves weren’t breached, threat actors could use stolen phone numbers to recover unauthorized accounts.

“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio said.

Personal data leak checker

Check whether your online credentials have been compromised with an up-to-date personal data leak checker tool.

Check if your data has been compromised

The company has also advised users to update their Authy app immediately to the latest Android and iOS versions.

The perpetrators behind the attack, ShinyHunters, have recently gained prominence in the underground community after several high-profile attacks involving the bank Santander and Ticketmaster.

In early 2024, Twilio said its 2FA desktop app would no longer be available for Windows, MacOS, and Linux users and advised customers to switch to the company’s mobile apps and to backup and sync their tokens across devices.

In 2022, Twilio disclosed a data breach, saying phishers tricked some of its employees into providing their credentials via voice phishing (vishing) and then used stolen credentials to access the company’s internal systems.