Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed

[MacRumors]

Twilio has updated its Authy two-factor authentication (2FA) service after a hacker claimed to have retrieved 33 million phone numbers from its user database.

TechCrunch reports that the hacker(s) known as ShinyHunters took to a well-known hacking forum to boast about the theft of 33 million cell phone numbers, achieved by what Twilio described as the use of an "authenticated endpoint."

The U.S. messaging giant confirmed this week that "threat actors" gained access to its servers, resulting in the theft of users' phone numbers, but it did not specify how many were accessed. The company said it had taken action to secure the exploit and prevent similar future unauthenticated requests.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," said the company in a blog post. "While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving."

As Twilio notes, obtaining a list of phone numbers may not appear in itself to pose a severe security threat. However, attackers could conceivably contact users and claim to be Authy or Twilio representatives in order to get them to reveal personal information as part of a phishing campaign.

Users should update to the latest version of the iOS app, available on the App Store. Twilio also advises users who cannot access their Authy account to contact its support team immediately.

• How to Use Safari's Built-in 2FA Code Generator

At the beginning of the year, Authy announced that it was shutting down its Mac and Linux desktop apps in August 2024, but ended up bringing the date forward. The apps were subsequently killed off in March.

Article Link: Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed

 

[JosephAW]

Never even heard of Twilio, should we be concerned?

 

[chucker23n1]

Bummer. I liked Twilio's Authy, in part because it synced well between macOS and iOS. But now iCloud Keychain can do this as well, so I might as well migrate to that.

I also still use Twilio's SendGrid.

 

[antiprotest]

Never even heard of Twilio, should we be concerned?

Many of the services you have heard of use Twilio. It offers APIs and such. So it's not a name customers will always directly face, but it's there. In this case, Twilio owns Authy.

 

[DougieS]

Got added to a random scam WhatsApp group on Wednesday. Maybe related to this hack?

 

[chucker23n1]

Many of the services you have heard of use Twilio.

Yep.

For example, lots of companies use Twilio SendGrid for transactional mails (password change confirmations, etc.) or marketing mails (newsletters, etc.). Or they use Twilio itself to send text messages.

 

[jasonsmith_88]

Been using Authy for years but I��ve always been suss on the requirement for a phone number, especially as Twilio’s entire business model is SMS.

You should not have to, nor expect to, disclose your phone number in order to use a TOTP generator. My data has already been leaked so many times, so I migrated to 2FAS about a month ago in anticipation of an event like this. Sadly my data was leaked because Authy takes 30 days to delete an account 🙃

Do not use Authy.

 

[Jackbequickly]

Things like this happen all the time. Most of the time we never are even informed, even when they get way more than our phone numbers. It is near unavoidable in today's world.

 

[krspkbl]

Glad that I avoided them when I found out you needed a phone number. Seemed suspicious and risky. There is no reason to give them your number and there are many other options out there. Not even Google or Microsoft ask for your phone number when using their 2FA apps

 

[ashleykaryl]

I used this for years and it was fine, albeit with a less than stellar interface, however they announced a few months ago they they would be dropping the desktop version and be mobile only. That didn't work for me, so I ditched it and spent a few ££ on an app called step two that works seamlessly across mobile and desktop. I can only hope that when I deleted my account with Authy, they did in fact remove my phone number. It's a mess though when so many of these companies get hacked.

 

[WarmWinterHat]

Bummer. I liked Twilio's Authy, in part because it synced well between macOS and iOS. But now iCloud Keychain can do this as well, so I might as well migrate to that.

I also still use Twilio's SendGrid.

I don't use Authy anymore, but I've always kept my 2FA codes separate from my passwords app. If one got compromised, at least the 2FA sites would still be secure.

 

[chucker23n1]

I don't use Authy anymore, but I've always kept my 2FA codes separate from my passwords app. If one got compromised, at least the 2FA sites would still be secure.

Yep, that's certainly an argument against using iCloud Keychain or 1Password for them.

 

[Darren.h]

what isn't hacked these days? cant keep a secure low profile no matter how hard you try. your at the mercy of networks that have your data but follow poor security practices.

Comcast was hacked real bad and my old boss is a senior cyber security boss for them living in LA

It was an Citrix screw up . When he was my boss in ILL thats what we used for virtual desktops. CITRIX.

 

[BGM]

Been using Authy for years but I’ve always been suss on the requirement for a phone number, especially as Twilio’s entire business model is SMS.

You should not have to, nor expect to, disclose your phone number in order to use a TOTP generator. My data has already been leaked so many times, so I migrated to 2FAS about a month ago in anticipation of an event like this. Sadly my data was leaked because Authy takes 30 days to delete an account 🙃

Do not use Authy.

Hmm.. 2FAS looks interesting, will take a look!

 

[dynamojoe]

Got added to a random scam WhatsApp group on Wednesday. Maybe related to this hack?

Maybe but doubtful. There are lots of bitcoin pump&dump groups out there on WhatsApp. Some times I think they resort to wardialing to find users.

 

[Muzzakus]

****ing lovely

 

[dabi]

glad I switched away from Authy the second they announced their desktop app is shutting down

 

[scorpio vega]

I don’t use any 2fa apps but if I did it would be anything apple offered because I don’t trust third party.

 

[xraydoc]

I've been using Authy for a while now. I wonder if I should just migrate everything to Apple's Password (or potentially 1Password, but didn't they have an issue last year? Can't recall...).

 

[coffeemilktea]

33 million numbers? I don't even know 33 people who use Authy. 🤯

...jokes aside, I really question the wisdom of using 2FA / security apps from companies that aren't well known. Something like Google Authenticator or Microsoft Authenticator would make more sense. A 2FA authenticator from.... Twilio...? Maybe not so much.

 

[DocMultimedia]

Got added to a random scam WhatsApp group on Wednesday. Maybe related to this hack?

I've gotten three of those in the past two days. I've never used Auty (or Twilio), but who knows.

 

[chucker23n1]

33 million numbers? I don't even know 33 people who use Authy. 🤯

...jokes aside, I really question the wisdom of using 2FA / security apps from companies that aren't well known. Something like Google Authenticator or Microsoft Authenticator would make more sense. A 2FA authenticator from.... Twilio...? Maybe not so much.

Twilio isn't that small; it's just that they mostly target the enterprise market.

 

[lkrupp]

what isn't hacked these days? cant keep a secure low profile no matter how hard you try. your at the mercy of networks that have your data but follow poor security practices.

Comcast was hacked real bad and my old boss is a senior cyber security boss for them living in LA

It was an Citrix screw up . When he was my boss in ILL thats what we used for virtual desktops. CITRIX.

I completely agree. We are at the mercy of corporations with lax security. AT&T’s hack resulted in them offering their customers a free year of Experian credit monitoring and a smarmy apology. If you tried to by a new car in the last two weeks you may have been affected by the CDK ransomware attack that disabled 15,000 automobile dealers across the country.

 

[jumpcutking]

Twilio has updated its Authy two-factor authentication (2FA) service after a hacker claimed to have retrieved 33 million phone numbers from its user database.

TechCrunch reports that the hacker(s) known as ShinyHunters took to a well-known hacking forum to boast about the theft of 33 million cell phone numbers, achieved by what Twilio described as the use of an "authenticated endpoint."

The U.S. messaging giant confirmed this week that "threat actors" gained access to its servers, resulting in the theft of users' phone numbers, but it did not specify how many were accessed. The company said it had taken action to secure the exploit and prevent similar future unauthenticated requests.
As Twilio notes, obtaining a list of phone numbers may not appear in itself to pose a severe security threat. However, attackers could conceivably contact users and claim to be Authy or Twilio representatives in order to get them to reveal personal information as part of a phishing campaign.

Users should update to the latest version of the iOS app, available on the App Store. Twilio also advises users who cannot access their Authy account to contact its support team immediately.

• How to Use Safari's Built-in 2FA Code Generator

At the beginning of the year, Authy announced that it was shutting down its Mac and Linux desktop apps in August 2024, but ended up bringing the date forward. The apps were subsequently killed off in March.

Article Link: Authy Users Urged to Stay Alert After Hack Exposes 33 Million Phone Numbers

With this and there desktop app dead, does this mean the service is dying? Should I move my codes? I’ve never seen an active service close a desktop app before like this. I suspect it was due to a script being able to export 2FA account data (Reddit post) and maybe it was turned off for security reasons BUT their documentation doesn’t mention anything other than - “End of Life” and here are alternative software options.

 

[chucker23n1]

With this and there desktop app dead, does this mean the service is dying? Should I move my codes? I’ve never seen an active service close a desktop app before like this. I suspect it was due to a script being able to export 2FA account data (Reddit post) and maybe it was turned off for security reasons BUT their documentation doesn’t mention anything other than - “End of Life” and here are alternative software options.

I don't see them as related. The desktop app was probably killed for lack of usage. (Unfortunate.)