Last week, a hacker group known as ShinyHunters claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed that “threat actors” had successfully identified the phone numbers of users of Authy, a popular two-factor authentication (2FA) app owned by Twilio.
Authy is a widely used 2FA app, especially among centralized exchange users for securing transactions and other sensitive tasks. The app competes with Google’s Authenticator and plays a crucial role in protecting against SIM swap attacks, which have resulted in significant financial losses for users of exchanges like OKX.
The breach was announced by ShinyHunters in a post on a well-known hacking forum, where they detailed their successful hack of Twilio and the acquisition of cell phone numbers of 33 million Authy users. Twilio spokesperson Kari Ramirez confirmed that the attackers exploited an unauthenticated endpoint to identify data associated with Authy accounts, including phone numbers. Twilio has since secured this endpoint to prevent further unauthorized access.
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data,” Ramirez stated. However, as a precaution, Twilio is urging all Authy users to update their Android and iOS apps for the latest security updates and to be vigilant against phishing and smishing attacks.
While the theft of phone numbers may not seem as severe as other types of data breaches, it still poses significant risks. Rachel Tobac, a social engineering expert and CEO of SocialProof Security, explained that hackers could use the stolen numbers to impersonate Authy or Twilio, making phishing attacks more convincing.
The recent breach underscores the persistent threat of cyberattacks and the importance of securing digital endpoints. The attackers reportedly used a massive list of phone numbers inputted into Authy’s unsecured API endpoint to verify their association with the app. Twilio has since resolved this vulnerability, ensuring the app no longer accepts unauthenticated requests.
Despite the breach, Twilio assures that users’ authenticator codes and other sensitive data have not been compromised. Nonetheless, they advise Authy users to update their apps and remain alert to potential phishing attempts.