Twilio confirms millions of phone numbers were stolen from Authy 2FA app in security breach

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

What just happened? Twilio has confirmed that a hacker stole millions of phone numbers belonging to users of its popular two-factor authentication app Authy. The company added that the threat actors may use these pilfered numbers for phishing and smishing attacks on the associated Authy accounts.

Last week, a hacker or hackers known as ShinyHunters posted a message on a popular hacking forum claiming they had compromised Twilio and obtained 33 million phone numbers registered with the Authy service.

ShinyHunters posted a CSV text file containing the numbers onto the dark web, writes BleepingComputer. The file contains 33,420,546 rows, each containing an account ID, phone number, an "over_the_top" column, account status, and device count.

In a security alert published this week, Twilio reported detecting that threat actors had identified data associated with Authy accounts, including phone numbers, due to an unauthenticated API endpoint. It has since taken action to secure this endpoint and no longer allows unauthenticated requests.

BleepingComputer reports that threat actors gathered the Authy user data by entering a massive list of phone numbers into the unsecured API endpoint. Valid numbers would see the endpoint return information about the associated accounts registered with Authy.

Twilio also states that it has found no evidence of hackers gaining access to its systems or other sensitive data beyond the phone numbers. However, it is recommending as a precaution that Authy users update their Android and iOS apps for the latest security updates. The company has sincerely apologized for the incident.

This isn't the first major hacking incident Twilio has faced. It suffered data breaches in June 2022 and August 2022 after a group of hackers launched a phishing campaign that saw 10,000 employee credentials stolen from at least 130 companies.

As Twilio was one of the companies successfully targeted during that campaign, attackers were able to access data from 163 Twilio accounts. They were also able to access 93 Authy accounts and register additional devices to these accounts, which allowed them to steal users' two-factor authentication codes.


Related stories
1 week ago - Plus: US auto dealers still offline; Conti coders sanction; Rabbit R1 hardcoded API keys; and more security in brief It took a while, but Microsoft has told customers that the Russian criminals who compromised its systems earlier this...
1 week ago - In a recent email notification to its users, as seen by Stack Diary, Twilio has disclosed a security incident involving... The post Twilio issues an alert about a security incident with a 3rd party carrier appeared first on Stack Diary.
1 week ago - Twilio says "threat actors were able to identify" phone numbers of people who use the two-factor app Authy.
1 week ago - Twilio hack leaves Authy users exposed to text-messaging scams  EngadgetTwilio says hackers identified cell phone numbers of two-factor app Authy users  TechCrunchTwilio alerts Authy two-factor app users that “threat actors” have their...
4 days ago - Twilio confirmed to CyberGuy that hackers got access to 33 million phone numbers related to its Authy two-factor authentication service.
Other stories
12 minutes ago - Why You Can Trust CNET Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy...
12 minutes ago - Amazon Prime subscribers can unlock their full streaming libraries with these VPNs, which are crucial if you travel abroad.
13 minutes ago - The worst offenders jacked up prices by as much as $50 from one year to the next.
18 minutes ago - Amazon Prime Day Starts in 2 Days. Here Are The Best Early Deals We’ve Found So Far.  The New York TimesView Full Coverage on Google News
18 minutes ago - The Google Search app for iPhone and iPad, which basically is its own browser, now offers customizable homescreen icons...