An attacker has obtained the phone numbers of 33 million users of the popular 2FA security app Authy, exposing them to an increased risk of phishing attacks.
Developer Twilio has confirmed the claim, and asked customers to take two precautions …
Two-factor authentication (2FA) means that when you (or someone using your credentials) login to a website or service, you’ll additionally be asked for a one-time passcode generated by an app. Twilio’s Authy is one of the most popular 2FA apps on the App Store.
An attacker last week claimed to have obtained the phone numbers of 33 million Authy users, and Twilio has now confirmed this, albeit without specifying the number of accounts.
Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint.
We have taken action to secure this endpoint and no longer allow unauthenticated requests. We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.
The developer is asking all users to update to the latest version, and be alert to sketchy text messages.
As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.
The biggest risk here is that an attacker now knows three things about you:
- Your phone number
- That you use 2FA
- That you specifically use Authy
They can use this information to create persuasive-looking texts, for example from one of your services advising that there is a problem with your two-factor authentication, and asking you to reset it. Or claiming to be Twilio.
TechCrunch reports that the same hacker is believed to behind a phishing campaign which resulted in the theft of around 10,000 employee logins across several different companies.
A phishing attack was also behind the Evolve data breach, which likely compromised the sensitive personal information of customers of Wise and other fintech companies.
It’s the second time in recent weeks that we’ve seen a security weakness in a cybersecurity company, following the exposure of photo IDs on an identity-verification service used by many tech giants. The developer of a 2FA app is also high up the list of companies you really don’t want to see hacked.
Photo by Philipp Katzenberger on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments