Last week, a hacker known as ShinyHunters claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” had identified the phone numbers of users of Authy, a two-factor authentication app owned by Twilio.
Security breach and company response
Twilio spokesperson Kari Ramirez said that the company detected unauthorized access to data associated with Authy accounts, including phone numbers, through an unauthenticated endpoint. “We have taken action to secure this endpoint and no longer allow unauthenticated requests,” Ramirez stated.
Security expert Rachel Tobac, CEO of SocialProof Security, highlighted the risks associated with the breach. “Attackers can now specifically target people they know are Authy users, making their malicious messages appear to come from Authy and Twilio,” Tobac explained.
Previous incidents
In 2022, Twilio suffered a larger data breach where hackers accessed data from over 100 customers and launched a phishing campaign, resulting in the theft of approximately 10,000 employee credentials from at least 130 companies. During that breach, hackers targeted 93 individual Authy users, registering additional devices on their accounts to steal two-factor codes.
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website, emphasizing the same points.
Expert warnings
While obtaining a list of phone numbers may not seem the most dangerous data breach, it poses significant risks. “If attackers can enumerate a list of users’ phone numbers, they can impersonate Authy/Twilio to those users, increasing the believability in a phishing attack,” Tobac said.
Twilio urges users to remain vigilant and update their apps to ensure maximum security against potential threats.