Cloud communications provider Twilio has disclosed that unidentified threat actors exploited an unauthenticated endpoint in Authy to access data associated with Authy accounts, including users’ cell phone numbers.
The company stated that it has since secured the endpoint to no longer accept unauthenticated requests. This revelation comes shortly after an online persona known as ShinyHunters published a database containing 33 million phone numbers, allegedly extracted from Authy accounts, on BreachForums.
Authy, which Twilio acquired in 2015, is a widely-used two-factor authentication (2FA) app that enhances account security. Cybersecurity “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data,” Twilio said in a security alert on July 1, 2024. However, as a precaution, the company recommends that users update their Android apps to version 25.1.0 or later and their iOS apps to version 26.1.0 or later.
Twilio also warned that the threat actors might use the phone numbers linked to Authy accounts for phishing and smishing attacks. “We encourage all Authy users to remain vigilant and be particularly cautious about the texts they receive,” it noted.
