Twilio has disclosed that unknown attackers exploited an unauthenticated endpoint in the Authy app, exposing data linked to Authy accounts, including users’ phone numbers. The endpoint has been secured to prevent further unauthorized access.
This incident follows a recent BreachForums post by a user named ShinyHunters, who claimed to have obtained a database of 33 million phone numbers from Authy accounts.
Authy, a two-factor authentication (2FA) app owned by Twilio since 2015, is widely used to enhance account security.
Twilio has found no evidence that the attackers accessed other sensitive data or Twilio’s systems. However, the company advises users to update their Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps to the latest versions.
#Twilio has confirmed that an unsecured API endpoint allowed #ShinyHunters threat actors to verify and leak the phone numbers of 33 million of Authy MFA users:#APISecurity
👇https://t.co/JFYH3c0COi pic.twitter.com/izQa025MZB— Sam Stepanyan (@securestep9) July 4, 2024
There is a risk that the exposed phone numbers could be used for phishing and smishing attacks. Twilio encourages all Authy users to remain vigilant about any suspicious texts they receive.
Maintaining strong security practices and regularly updating apps is essential in protecting personal information.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.