Twilio, the company behind the two-factor authentication app Authy, has reported a security breach that exposed 33 million Authy-linked phone numbers. This incident was caused by an unsecured API endpoint that allowed unauthorized access to the associated data.
Twilio disclosed the breach on July 1, 2024. The issue stemmed from an “unauthenticated endpoint,” which permitted access without proper security checks. Although no passwords, two-factor authentication seeds, or other sensitive account details were compromised, phone numbers linked to Authy accounts were exposed.
The hacking group ShinyHunters is responsible for the breach and has leaked a file containing the phone numbers on a hacking forum. This increases the risk of phishing attacks and SIM swapping. Twilio has since secured the vulnerable endpoint and assured users that no other Twilio systems or sensitive data were accessed. Users are encouraged to update their Authy apps to the latest versions (Android v25.1.0 or later, iOS v26.1.0 or later) for enhanced security.
Authy users should take several preventive steps: update their Authy app to the latest version, enable SIM lock to protect against unauthorized transfers, and remain cautious of unsolicited messages or calls requesting login information. Users might also consider switching to a different 2FA app, such as Aegis Authenticator for Android, which is a free option offering strong security features.
Twilio reiterated its commitment to security and transparency, stating that the security of their products and their customers' data is of utmost importance. Twilio’s Security Incident Response Team is closely monitoring the situation and will provide updates as necessary. Users experiencing issues with their Authy accounts are encouraged to contact Authy support for assistance.
This incident highlights the importance of securing API endpoints and maintaining strong security practices to protect user data. As cyber threats continue to evolve, both companies and users must remain vigilant and proactive about their security measures.
 |
| This incident was caused by an unsecured API endpoint that allowed unauthorized access to the associated data |