American messaging giant Twilio (NYSE: TWLO) confirmed on Monday that unauthorized “threat actors” accessed phone numbers associated with Authy, its two-factor authentication app. This comes after hacking group ShinyHunters claimed that it had stolen 33 million phone numbers from the app.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” Twilio said in a security alert on its website.
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” the company wrote.
While the exposed data may seem limited to phone numbers, security experts warn of potential risks. Rachel Tobac, CEO of SocialProof Security, told TechCrunch that this information could be exploited for targeted phishing attacks, as hackers can now impersonate Authy or Twilio with increased credibility.
Twilio appears to downplay the recent incident but it follows a more extensive breach in 2022, where hackers accessed data from over 100 customers and compromised employee credentials across numerous companies. In that attack, 93 Authy users were specifically targeted, allowing the hackers to register additional devices on their accounts and potentially intercept two-factor authentication codes.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
