Authy, the app used by many people for two-factor authentication (2FA), has issued a warning after a data breach resulted in attackers stealing up to 33 million phone numbers.
The attack via an unsecured API endpoint allowed adversaries to verify the phone numbers of millions of Authy multi-factor authentication (MFA) users. As a result, Authy users could now be vulnerable to SMS phishing and SIM swapping attacks.
In late June, an adversary dubbed ShinyHunters leaked a CSV text file, claiming that it contained 33 million phone numbers registered with the Authy service, Bleeping Computer reports.
The CSV file contains 33,420,546 rows, each with an account ID, phone number, an “over_the_top” column, account status and device count, the site reported.
Now, Authy has admitted it was attacked in a blog. The firm was attacked twice during 2022, but said the latest breach is not linked to the previous incidents.
Authy owner Twilio sent me a statement over email, which reads: “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
Twilio says it has “seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data,” but Authy is “requesting all Authy users to update to the latest Android and iOS apps for the latest security updates.”
It is also and encouraging all Authy users to “stay diligent and have heightened awareness around phishing and smishing attacks.”
What To Do
It goes without saying that if, like me, you are an Authy user, you need to be careful of any texts claiming to be from the firm.
Since the breach has leaked phone numbers, the biggest risk for users will be targeted phishing type attacks, says Sean Wright, head of application security at Featurespace. While many may be concerned about attackers having access to their accounts, he says that is “highly unlikely since the attackers will need to be able to obtain the seeds for the MFA tokens stored in Authy.”
Wright recommends that users remain vigilant, and “be very wary of any messages you receive from unknown senders.”
He says this is especially important for messages “that appear to have a sense of urgency or are warning of financial loss if no action is taken.”
You could also look to move to another MFA application as a replacement for Authy—or use the even more secure option of hardware keys, such as the Yubico YubiKey, Wright says.
If you find you can’t access your Authy account, the firm recommends immediately contacting Authy support. “One of our specialists will respond to your request, and work with you to get your Authy account back up and running again.”
And of course, as Authy recommends, it’s a good idea to update your iOS or Android app now, to fix any security issues that could be a problem.