Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed that these “threat actors” were able to identify the phone numbers of people who use Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacking forum, the hacker or group known as ShinyHunters claimed they had hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez stated that the company “detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website on Monday, echoing the same statement.
While obtaining a list of phone numbers alone may not seem like a severe data breach, it could still pose a significant threat to the owners of those numbers.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, explained.
Tobac further elaborated that hackers can now specifically target individuals they know are Authy users, making their malicious messages appear more legitimate as if they are coming from Authy and Twilio.
In 2022, Twilio experienced a larger data breach when a group of hackers accessed the data of more than 100 company customers. The hackers then launched a wide-ranging phishing campaign resulting in the theft of around 10,000 employee credentials from at least 130 companies. As part of that breach, Twilio reported that hackers successfully targeted 93 individual Authy users and registered additional devices on those victims’ Authy accounts, allowing them to effectively steal real two-factor authentication codes.
This latest incident highlights the ongoing risks and the need for heightened security measures, especially for users of services like Authy.