The recent Twilio data breach may have taken an unfortunate turn, as new reports suggest hackers were able to isolate Authy users from the archives.
The notorious hacking collective ShinyHunters recently claimed to have stolen 33 million phone numbers from Twilio. The company has now revealed that the attackers were able to determine which of those phone numbers were used for the Authy service.
For those unfamiliar, Authy is a popular multi-factor authentication (MFA) tool that was acquired by Twilio in 2015.
Authy imitate
Twilio spokesperson Kari Ramirez said TechCrunch the company “discovered that threat actors were able to identify data associated with Authy accounts, including phone numbers, thanks to an unauthenticated endpoint. We have taken measures to secure this endpoint and will no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors gained access to Twilio’s systems or other sensitive data. As a precaution, we ask all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to remain diligent and be more aware of phishing and smishing attacks,” Ramirez wrote in an email.
If hackers know which phone numbers are used by Authy, they will have new opportunities to launch phishing attacks and bypass their victims’ MFA.
For example, cybercriminals could pose as Authy and contact users via SMS, then get them to share time-sensitive codes to gain access to various accounts.
“If attackers can enumerate a list of users’ phone numbers, those attackers can impersonate those users as Authy/Twilio, increasing the credibility of a phishing attack on that phone number,” Rachel Tobac, CEO of SocialProof Security, told the publication.
Twilio is a cloud communications platform designed for businesses looking to integrate real-time communications into their software applications.