Twilio, the company behind the two-factor authentication app Authy, has reported a security breach that exposed 33 million Authy-linked phone numbers due to an unsecured API endpoint.
Details of the Breach
Twilio disclosed the breach on July 1, 2024, in a blog post. The breach was caused by an “unauthenticated endpoint” that allowed unauthorized access to data associated with Authy accounts. While no passwords, two-factor authentication seeds, or other sensitive account details were compromised, phone numbers linked to Authy accounts were exposed.
Threat and Response
The hacking group ShinyHunters has been identified as responsible for the breach. They have leaked a file containing the phone numbers on a hacking forum, increasing the risk of phishing attacks and SIM swapping. In response, Twilio has secured the vulnerable endpoint and assured users that no other Twilio systems or sensitive data were accessed. Users are urged to update their Authy apps to the latest versions (Android v25.1.0 or later, iOS v26.1.0 or later) to enhance security.
Preventive Measures for Users
Authy users are advised to take the following steps:
- Update the Authy App: Ensure you are using the latest version, which includes important security updates.
- Enable SIM Lock: Secure your SIM card with a passcode to prevent unauthorized transfers.
- Beware of Phishing and Smishing: Be cautious of unsolicited messages or calls requesting login information, as these could be attempts to steal your credentials.
- Consider a different Authenticator App: You can also switch to a different 2FA app altogether. Aegis Authenticator is one of the various free-to-use options for Android users.
Official Statement from Twilio
Twilio has reiterated its commitment to security and transparency, stating, “We believe that the security of our products and our customer’s data is of paramount importance and when an incident occurs that might threaten that security, we tell you about it.”
Twilio’s Security Incident Response Team is actively monitoring the situation and will provide updates as necessary. Users experiencing issues with their Authy accounts are encouraged to contact Authy support for assistance.
Comments