Security

Twilio advises caution following compromise of Authy user contact numbers

Brendyn Lotz

5th July 2024

This week Twilio, owner of two-factor authentication app Authy, confirmed that customer data had been accessed by an unauthorised party.
The firm is adamant that no user data was accessed and instead crims used an unauthenticated endpoint to check if a list of phone numbers were registered with Authy.
Customers need only update their Authy app and be careful of phishing and smishing scams.

Users of two-factor authentication service Authy may want to check for an update pending in their app store.

The owner of service, Twilio, reported this week that its had detected a security breach and cybercriminals were able to access Authy user data. This data appears to be limited to phone numbers and Authy accounts themselves weren’t compromised. The threat actors were able to access this data thanks to an unauthenticated endpoint. This endpoint has since been secured and no longer allows unauthenticated requests.

According to a report by Bleeping Computer, the attackers seemingly fed phone numbers into the endpoint and if it was registered with Authy it would return information about the associated account. It’s a rather common exploit and one that Twitter and Facebook have fallen prey to in the past.

“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio writes.

As the firm rightly points out, the compromised contact numbers could be used to launch further attacks or even scams. As such, if you receive calls claiming to be from your bank or another financial service, it may be best to hang up and call the institution back directly.

Unfortunately, because of the nature of the attack it’s going to be tough to identify which contact numbers were confirmed as legitimate by cybercriminals. This is why Twilio is taking a blanket approach to warning customers.

“We know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened,” Twilio adds.

The company says that users who can’t access their accounts should get in contact with Twilio immediately.

Make sure that you are running the latest versions of Authy – Android (v25.1.0) and iOS App (v26.1.0) – and be a bit more cautious when you get unsolicited phone calls.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.