Authy App Breach: Millions of Phone Numbers Compromised

Twilio has announced a major security breach in its Authy app, leading to the exposure of millions of phone numbers. Acquired by Twilio in 2015, Authy is a renowned two-factor authentication app that provides an extra layer of account security. Learn more about the Authy app breach below!

Breach Overview and Twilio’s Response

According to Twilio, threat actors were able to access an unauthenticated endpoint in the Authy system, allowing them to extract information linked to user accounts, particularly phone numbers. 

A few days ago, the hacker group called ShinyHunters shared a database on BreachForums, claiming it included 33 million phone numbers from Authy users. Twilio said it has already taken measures to safeguard the endpoint by adjusting it to reject unauthenticated requests. 

🚨MAJOR DATA LEAK🚨ShinyHunters has allegedly leak 33 Million Twilio Authy random phones

Per ShinyHunters: "Twilio authy and segment are segmentation faulting like tylerb BGP route from which we hack them and laughing to the bank #cr0wdsp1d3r" pic.twitter.com/GdYOt0UmK8

— Dark Web Informer (@DarkWebInformer) June 27, 2024

“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates,” the company stated in a security alert on July 1.

Security Implications and User Safety Guidelines

Despite the breach involving “only” phone numbers, the implications for security are significant. Possessing such a list enables attackers to convincingly impersonate Authy or Twilio in communications with users, potentially leading to successful phishing schemes. 

Twilio advised users to be vigilant as the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks and encouraged “all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”

This is not the first time Twilio has been targeted by hackers. In 2022, attackers accessed customer data and launched a phishing operation that compromised thousands of employee credentials from over 130 companies. 

During that attack, the intruders also manipulated 93 Authy accounts to register additional devices, thereby capturing authentic two-factor codes and potentially gaining unauthorized access to sensitive accounts.