pwshub.com

Twilio says hackers identified cell phone numbers of two-factor app Authy users - TechCrunch

Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.

In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.

Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email. 

Twilio also published an alert on its official website on Monday, including the same statement. 

While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.

“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.

Tobac explained that now hackers can specifically target people who they know are Authy users, giving the attackers a chance to make it look like their malicious messages really come from Authy and Twilio. 

In 2022, Twilio suffered a larger data breach, when a group of hackers accessed the data of more than 100 company customers. The hackers then launched a wide-ranging phishing campaign which resulted in the theft of around 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said hackers successfully targeted 93 individual Authy users and were able to register additional devices on those victims’ Authy accounts, allowing them to effectively steal real two-factor codes.

UPDATE, 12:52 p.m. ET: This story has been corrected to clarify that the 2022 Twilio breach is not directly connected to the phishing campaign that resulted in the theft of around 10,000 employee credentials of several companies. The two attacks were allegedly carried out by the same threat actors.

Source: techcrunch.com

Related stories
1 week ago - Twilio hack leaves Authy users exposed to text-messaging scams  EngadgetTwilio says hackers identified cell phone numbers of two-factor app Authy users  TechCrunchTwilio alerts Authy two-factor app users that “threat actors” have their...
3 weeks ago - Apple Developer Academy adds AI training for students and alumni  TechCrunchApple Developer Academy introduces AI training for all students and alumni  AppleApple Offers Students AI Training at Developer Academies  MacRumorsApple launches...
1 week ago - In a recent email notification to its users, as seen by Stack Diary, Twilio has disclosed a security incident involving... The post Twilio issues an alert about a security incident with a 3rd party carrier appeared first on Stack Diary.
1 week ago - Telegram lets creators share paid content to channels  TechCrunchTelegram mini-app developers can now use Stars to get TON rewards or ad discounts  The BlockTelegram Just Made It Easier to Farm Crypto Games Like ‘Hamster...
1 week ago - YouTube's updated eraser tool removes copyrighted music without impacting other audio  TechCrunchYouTube Updates 'Erase Song' Tool for Faster Removal of Copyrighted Tunes  PCMagYouTubers can now erase music that triggers a copyright claim...
Other stories
27 minutes ago - The Arduino team, known for providing various electronic and microcontroller components for do-it-yourself electronic hobbyists since 2005, has announced its new product, the Plug and Make Kit. It's aimed at beginners as it removes the...
27 minutes ago - Slap these flame-friendly species on the grates and you won't be cleaning fish off the bottom of your grill this summer.
30 minutes ago - NVIDIA GeForce RTX 50 “Preliminary” GPU TDPs Revealed: RTX 5090 500W, RTX 5080 350W, RTX 5070 220W, RTX 5060 170W, RTX 5050 100W  WccftechNvidia RTX 50 graphics card family TDPs 'leaked' by Seasonic  Tom's HardwareSeasonic lists GeForce...
30 minutes ago - ‘Concord’ Impresses Some, But The Price May Be A Dealbreaker  ForbesConcord Beta Early Access: Preload and server times, PC specs, and more detailed  PlayStationSony’s new hero shooter Concord is playable this weekend for all PS Plus...
30 minutes ago - Samsung Galaxy Z Fold 6 Galaxy Flip 6 Galaxy Ring Deal Price  ForbesSamsung Galaxy Z Flip 6 hands-on: The foldable most people should buy gets one key upgrade  ZDNetWondering whether the Galaxy Z Fold 6 or Z Flip 6 are worth it? Samsung's...