Authy Users Urged to Stay Alert After Hack Exposes 33 Million Phone Numbers

by

Twilio has updated its Authy two-factor authentication (2FA) service after a hacker claimed to have retrieved 33 million phone numbers from its user database.

authy
TechCrunch reports that the hacker(s) known as ShinyHunters took to a well-known hacking forum to boast about the theft of 33 million cell phone numbers, achieved by what Twilio described as the use of an "authenticated endpoint."

The U.S. messaging giant confirmed this week that "threat actors" gained access to its servers, resulting in the theft of users' phone numbers, but it did not specify how many were accessed. The company said it had taken action to secure the exploit and prevent similar future unauthenticated requests.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," said the company in a blog post. "While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving."

As Twilio notes, obtaining a list of phone numbers may not appear in itself to pose a severe security threat. However, attackers could conceivably contact users and claim to be Authy or Twilio representatives in order to get them to reveal personal information as part of a phishing campaign.

Users should update to the latest version of the iOS app, available on the App Store. Twilio also advises users who cannot access their Authy account to contact its support team immediately.

At the beginning of the year, Authy announced that it was shutting down its Mac and Linux desktop apps in August 2024, but ended up bringing the date forward. The apps were subsequently killed off in March.

Tag: Two-Factor Authentication

Popular Stories

iPhone 17 Plus Feature

iPhone 17 'Slim': Everything We Know So Far

Friday July 5, 2024 5:13 am PDT by
In 2025, Apple is expected to discontinue the iPhone "Plus" device in its iPhone 17 lineup to make way for an iPhone "Slim" – although it may not actually be called this when it debuts in the fall of next year. Even though the iPhone 16 series launch is still over two months away, when you consider that we learned about larger displays on the iPhone 16 Pro models way back in May 2023, rumors...
Read Full Article173 comments
HomePod G4 Feature

Leak Confirms Apple's Work On 'Home Accessory'

Thursday July 4, 2024 9:15 am PDT by
Code discovered on Apple's backend by MacRumors confirms Apple is indeed working on a long-rumored home accessory in addition to the HomePod and Apple TV. The code references a device with the identifier "HomeAccessory17,1," which is a new identifier category. The name is similar to the HomePod's "AudioAccessory" identifier. Interestingly, the 17,1 in the identifier name suggests that...
Read Full Article219 comments
iPhone 16 Camera Lozenge 2

Apple Leak Confirms Four iPhone 16 Models With Same A18 Chip

Tuesday July 2, 2024 9:48 am PDT by
Code discovered in Apple's backend by Nicolás Alvarez and shared with MacRumors confirms Apple's plans to release four iPhone 16 models this year, and it indicates that the devices will all have the same A-series chip. There are mentions of new model numbers that are not associated with existing iPhones, and that have the numbering scheme Apple uses for its flagship devices. The code...
Read Full Article145 comments

Top Rated Comments

jasonsmith_88 Avatar
jasonsmith_88
3 days ago at 03:34 am
Been using Authy for years but I’ve always been suss on the requirement for a phone number, especially as Twilio’s entire business model is SMS.

You should not have to, nor expect to, disclose your phone number in order to use a TOTP generator. My data has already been leaked so many times, so I migrated to 2FAS about a month ago in anticipation of an event like this. Sadly my data was leaked because Authy takes 30 days to delete an account ?

Do not use Authy.
Score: 14 Votes (Like | Disagree)
antiprotest Avatar
antiprotest
3 days ago at 03:20 am

Never even heard of Twilio, should we be concerned? :rolleyes:
Many of the services you have heard of use Twilio. It offers APIs and such. So it's not a name customers will always directly face, but it's there. In this case, Twilio owns Authy.
Score: 10 Votes (Like | Disagree)
JosephAW Avatar
JosephAW
3 days ago at 03:12 am
Never even heard of Twilio, should we be concerned? :rolleyes:
Score: 7 Votes (Like | Disagree)
chucker23n1 Avatar
chucker23n1
3 days ago at 03:29 am

Many of the services you have heard of use Twilio.
Yep.

For example, lots of companies use Twilio SendGrid for transactional mails (password change confirmations, etc.) or marketing mails (newsletters, etc.). Or they use Twilio itself to send text messages.
Score: 6 Votes (Like | Disagree)
WarmWinterHat Avatar
WarmWinterHat
3 days ago at 04:28 am

Bummer. I liked Twilio's Authy, in part because it synced well between macOS and iOS. But now iCloud Keychain can do this as well, so I might as well migrate to that.

I also still use Twilio's SendGrid.
I don't use Authy anymore, but I've always kept my 2FA codes separate from my passwords app. If one got compromised, at least the 2FA sites would still be secure.
Score: 6 Votes (Like | Disagree)
Jackbequickly Avatar
Jackbequickly
3 days ago at 03:47 am
Things like this happen all the time. Most of the time we never are even informed, even when they get way more than our phone numbers. It is near unavoidable in today's world.
Score: 5 Votes (Like | Disagree)
Read All Comments