Skip to main content

Authy exposes phone numbers of 33M users; Twilio confirms

An attacker has obtained the phone numbers of 33 million users of the popular 2FA security app Authy, exposing them to an increased risk of phishing attacks.

Developer Twilio has confirmed the claim, and asked customers to take two precautions …

Two-factor authentication (2FA) means that when you (or someone using your credentials) login to a website or service, you’ll additionally be asked for a one-time passcode generated by an app. Twilio’s Authy is one of the most popular 2FA apps on the App Store.

An attacker last week claimed to have obtained the phone numbers of 33 million Authy users, and Twilio has now confirmed this, albeit without specifying the number of accounts.

Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint.

We have taken action to secure this endpoint and no longer allow unauthenticated requests. We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. 

The developer is asking all users to update to the latest version, and be alert to sketchy text messages.

As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.

The biggest risk here is that an attacker now knows three things about you:

  • Your phone number
  • That you use 2FA
  • That you specifically use Authy

They can use this information to create persuasive-looking texts, for example from one of your services advising that there is a problem with your two-factor authentication, and asking you to reset it. Or claiming to be Twilio.

TechCrunch reports that the same hacker is believed to behind a phishing campaign which resulted in the theft of around 10,000 employee logins across several different companies.

A phishing attack was also behind the Evolve data breach, which likely compromised the sensitive personal information of customers of Wise and other fintech companies.

It’s the second time in recent weeks that we’ve seen a security weakness in a cybersecurity company, following the exposure of photo IDs on an identity-verification service used by many tech giants. The developer of a 2FA app is also high up the list of companies you really don’t want to see hacked.

Photo by Philipp Katzenberger on Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications