33 million Authy users exposed in authentication app's own security nightmare

A hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. The company confirmed to CyberGuy that threat actors got access to the data associated with its Authy two-factor authentication service.

Obtaining a list of phone numbers alone is not the biggest cyberattack, but it could still pose a threat to the owners of those numbers. 

Hackers may use these numbers to launch phishing attacks, send spam text messages or attempt SIM swapping. Twilio has since patched its app to avoid future security incidents and has also cautioned users.



Illustration of a hacker at work (Kurt "CyberGuy" Knutsson)

What you need to know

On July 3, the hacker group known as ShinyHunters reportedly took to a hacking forum to boast about stealing 33 million cellphone numbers. Twilio said that the incident was "not a hack or breach" but rather the threat actors exploiting an "unauthenticated endpoint." In simple terms, hackers exploited a specific part of Twilio's system that didn't require authentication.

The U.S. messaging giant confirmed that hackers were able to identify data associated with Authy accounts, including phone numbers, but did not specify how many accounts were affected. The company stated that there is no evidence indicating that the hackers gained access to Twilio's systems or other sensitive data.

Twilio provided this statement to CyberGuy: "Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks."



Illustration of hackers at work (Kurt "CyberGuy" Knutsson)


What do affected users need to do?

If you’ve been affected by the Twilio security incident, the first thing you need to do is download the latest version of the Authy app. Twilio has released a new version of the app that includes bug fixes and security updates. Android users can update the app from the Play Store, and iPhone users can head to the App Store.

You also need to be cautious of phishing attacks. While your Authy account itself is safe, hackers might use the phone number linked to your account to try some phishing tricks. This means they could contact you pretending to be from Authy or Twilio to trick you into giving away personal information.

hacker illustration

Illustration of a hacker (Kurt "CyberGuy" Knutsson)


5 steps to take to protect your privacy and personal data

While hackers can misuse your personal information in various ways, there are several steps you can take to prevent harm.

1. Have strong antivirus software: Android has its own built-in malware protection called Play Protect, but it’s not enough to stop all malicious software. Historically, Play Protect hasn’t been 100% foolproof at removing all known malware from Android phones. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Use an identity theft protection service: Identity theft companies can monitor personal information like your Social Security Number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.


One of the best parts of using some services is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft.

3. Invest in data removal services: While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Remove your personal data from the internet with my top picks here.

4. Use multifactor authentication: Enable two-factor authentication on your important accounts to add an extra layer of security beyond a password. This requires a second step, like a code sent to your phone, to log in.

5. Use a VPN: Consider using a VPN to protect against being tracked and to identify your potential location on websites that you visit. Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices.


Kurt’s key takeaway

Authy is a two-factor authentication service that users trust, but a security lapse in its system reminds users that no service is foolproof. The service maker maintains that hackers do not have access to Authy accounts, which is a relief. Companies should invest more in security infrastructure to ensure that their customers’ sensitive data does not get compromised so easily.


How do you think companies should improve their security measures to prevent incidents like the Twilio security incident? Let us know by writing us at

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to

Ask Kurt a question or let us know what stories you'd like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

Copyright 2024 All rights reserved.

Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at


Related stories
1 week ago - Twilio hack leaves Authy users exposed to text-messaging scams  EngadgetTwilio says hackers identified cell phone numbers of two-factor app Authy users  TechCrunchTwilio alerts Authy two-factor app users that “threat actors” have their...
1 week ago - Last week, a hacker or hackers known as ShinyHunters posted a message on a popular hacking forum claiming they had compromised Twilio and obtained 33 million phone numbers registered with the Authy service.Read Entire Article
1 week ago - Twilio says "threat actors were able to identify" phone numbers of people who use the two-factor app Authy.
2 weeks ago - Nobody Wants to Game on Mouse and Keyboard Anymore  GizmodoSteam is getting an official controller, but Valve isn't making it  The VergeThe Wireless Horipad for Steam looks like a spiritual successor to the Steam controller and it's...
1 day ago - Bloomberg Creative/Getty ImagesLast month, the United States Department of Commerce announced a ban on Kaspersky software. As of September 29,...
Other stories
14 minutes ago - Xbox Game Pass first impressions — Kunitsu-Gami: Path of the Goddess  TrueAchievementsKunitsu-Gami: Path of the Goddess Review  IGNCapcom’s New Tower Defense-Like Action Game Is This Year’s Summer Sleeper  Rolling StoneKunitsu-Gami: Path...
14 minutes ago - Dead by Daylight Spinoff The Casting of Frank Stone Finally Has a Release Date  IGNThe Casting Of Frank Stone Terrorizes Players This September  Game InformerThe Casting of Frank Stone Release Date Confirmed  Insider GamingThe Casting of...
14 minutes ago - Don’t waste your money on a crappy Android tablet during Prime Day – get these instead  9to5GooglePrime Day tablet deals bring the Samsung Galaxy Tab S9 FE down to $330  EngadgetI don't think you should pay full price for a new tablet...
14 minutes ago - Xbox Series X hits new lowest price for Prime Day — but there’s a catch  Tom's GuideThis is the best Xbox Series X deal right now — which gives you a hefty discount AND some extra cash to buy a game  Windows CentralXbox Series X is $50...
14 minutes ago - The Best Prime Day Gaming PC Deals of 2024 So Far  IGNGot GPU-purchase fear? These three Prime Day deals are still worth buying before the next-generation cards arrive  PC GamerPrime Day Tech Deals Live Blog: Breaking Savings on SSDs,...