Authy, a two-factor authentication app, has been the victim of a cyberattack. The hacker managed to steal some 33 million phone numbers, exposing their users to phishing and SIM swapping.
For added security, many people use login code-generating apps like Google Authenticator as part of two-factor authentication. This system can improve the security of online accounts by adding an extra layer of protection and can also make it harder for cybercriminals to do so. However, it doesn’t guarantee 100% security. Twilio’s popular two-factor authentication app, Authy, has been hit by a cyberattack. Two years after suffering two breaches in which cybercriminals were able to penetrate its infrastructure and access Authy account information, Twilio announced in a statement that an attacker had been “able to identify data associated with Authy accounts, including phone numbers” by exploiting a flaw in the application programming interface.
Authy hack: data of 33 million users for sale
By exploiting the Authy flaw, the hacker, who goes by the name ShinyHunters, matched a list of numbers obtained in a previous data breach with those stored in Authy’s systems. When the phone number was successfully registered, the endpoint behind the breach returned information about the associated accounts registered with Authy. It’s worth noting that ShinyHunters was also behind the TicketMaster data breach, which occurred last June and resulted in the theft of personal data of 560 million users.
After successfully hacking, ShinyHunters published a CSV file containing 33 million phone numbers registered with Authy on a hacking forum last June. Each entry in the file included an account ID, number, account status, and the number of devices linked.
Authy hack: risks of phishing and SIM card hijacking
This seemingly innocuous leak exposes affected users to SMS phishing and SIM swapping attacks. Cybercriminals will be able to combine this new data with that of other data breaches to develop sophisticated phishing campaigns, and thus better calibrate their cyberattacks. Not to mention that, by hacking a phone number registered with Authy, they will be able to gain access to a whole range of accounts secured with two-factor authentication. They will only need to collect all the login codes to penetrate dozens of different accounts.
Twilio has since secured the compromised endpoint, so users should definitely update the app to Android v. 25.1.0 and iOS v. 26.1.0. The company also says “no longer allow unauthenticated requests” and claims to have found no evidence that the hacker had access to other sensitive data. It is still better to change the application’s master password and enable biometric authentication.
If you ever receive an email or text message that you find suspicious, don’t hesitate to use verification tools like Scamio, a free chatbot capable of analyzing communications received and detecting fraud attempts, or Orange Cybersecure, a participatory portal that allows any Internet user to check whether a link is malicious (see our article).