Twilio, the firm responsible for the two-factor authentication app Authy, has experienced a security breach that exposed 33 million phone numbers linked to Authy accounts due to an unsecured API endpoint.
Details of the Breach
On July 1, 2024, Twilio revealed the breach through a blog post. The incident was caused by an “unauthenticated endpoint” that permitted unauthorized access to data linked to Authy accounts. Fortunately, no passwords, two-factor authentication seeds, or other highly sensitive account details were compromised, but phone numbers associated with Authy accounts were exposed.
Threat and Response
The hacking group ShinyHunters has been identified as the culprits behind the breach. They have released a file containing the exposed phone numbers on a hacking forum, which has heightened the risk of phishing attacks and SIM swapping. In response, Twilio has secured the vulnerable endpoint and assured users that no other Twilio systems or sensitive data were accessed. Users are encouraged to update their Authy apps to the latest versions (Android v25.1.0 or later, iOS v26.1.0 or later) to boost security.
Preventive Measures for Users
Authy users should take the following steps to protect themselves:
- Update the Authy App: Make sure you are using the latest version, which includes crucial security updates.
- Enable SIM Lock: Protect your SIM card with a passcode to prevent unauthorized transfers.
- Beware of Phishing and Smishing: Be vigilant of unsolicited messages or calls asking for login information, as these could be attempts to steal your credentials.
- Consider a Different Authenticator App: You may also switch to a different 2FA app. Aegis Authenticator is a free-to-use option for Android users.
Official Statement from Twilio
Twilio has reiterated its dedication to security and transparency, stating, “We believe that the security of our products and our customer’s data is of paramount importance and when an incident occurs that might threaten that security, we tell you about it.”
Twilio’s Security Incident Response Team is closely monitoring the situation and will provide updates as necessary. Users experiencing issues with their Authy accounts are urged to reach out to Authy support for assistance.