Messaging giant Twilio has confirmed that a vulnerable API endpoint allowed “threat actors” to check the phone numbers of numerous Authy multi-factor authentication users. Last week, a threat actor known as ShinyHunters leaked a CSV file containing what they claim are 33 million phone numbers linked to Authy, as reported by TechCrunch.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint,” notified Twilio in a blog post. “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.”
Twilio acknowledged that the breach exploited a vulnerable API endpoint, prompting them to disable it and enhance its security. It has advised users to update their Authy iOS app from the App Store and contact Twilio support if they are unable to access their accounts. Take note, Authy’s desktop app is no longer available and it’s only available on iOS and Android.
More importantly, it follows a 2022 data breach in which a phishing campaign tricked employees into revealing their login details, and attackers breached over 163 Twilio accounts.
It seems data breaches have become increasingly common recently. ArsTechnica also reported that approximately three million iPhone and Mac apps are currently at risk.