Email security, Identity

UPDATE: Millions of Authy users’ cellphone numbers exposed by insecure endpoint


UPDATE: 7/10 5:30 PM ET - TechCrunch reports that millions using Twilio's two-factor authentication app Authy had their cellphone numbers confirmed by the major U.S. cloud communications firm to have been compromised in a cyberattack, which the ShinyHunters hacking operation claimed to have resulted in the exposure of 33 million users' digits.

Twilio reached out to SC Media and issued a statement underscoring the company's platform has not been hacked. Rather Twilio acknowledged that data associated with Authy accounts were part of cyber incident that involved an unauthenticated endpoint that has since been secured.

The company issued the following statement:

Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests. 

We have seen no evidence that the threat actors breached Twilio's systems or that they obtained access to Twilio’s systems or other sensitive internal data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.”  - Twilio Spokesperson.

Attackers were able to obtain Authy customers' phone numbers and other data via an unauthenticated endpoint, which has since been secured, but there has been no indication of further breaches of Twilio's systems and sensitive data, according to Twilio spokesperson Kari Ramirez. Authy users have been urged to immediately update to the latest versions of the app on Android and iOS to prevent compromise. Such an incident has raised concerns among cybersecurity experts, including SocialProof Security CEO Rachel Tobac. "If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number," Tobac said.

(An update to this news brief on 7/10 clarifies that the Twilio platform was not hacked. The story headline has been modified to amplify that fact and an additional statement from Twilio has been added to this report.)

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.