Twilio has issued a critical update for its Authy application, used for two-factor authentication (2FA), after detecting a vulnerability that allowed malicious actors to identify phone numbers associated with Authy accounts through an unauthenticated access point.
Details of the Incident
Twilio has identified that malicious actors were able to access data associated with Authy accounts, including phone numbers, due to an unauthenticated access point. The company has taken immediate steps to secure this access point and no longer allows unauthenticated requests. While there is no evidence that the attackers accessed other sensitive data from Twilio, the company recommends all Authy users to update to the latest versions of the Android and iOS applications to secure their accounts.
Precautionary Measures and Required Update
To protect their accounts, users should update their applications to the latest available versions.
While Authy accounts have not been compromised, the associated phone numbers could be used in phishing and smishing attacks. Twilio urges users to be vigilant and exercise caution with the text messages they receive.
Official Statements
Kari Ramirez, a spokesperson for Twilio, informed TechCrunch: “We have detected that malicious actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated access point. We have taken steps to secure this access point and no longer allow unauthenticated requests. As a precaution, we ask all Authy users to update to the latest versions of the Android and iOS applications to benefit from the latest security updates and encourage all users to be alert to possible phishing and smishing attacks.”
Additional Context
Last week, a hacker known as ShinyHunters claimed to have stolen 33 million phone numbers from Twilio. While obtaining a list of phone numbers alone may not seem extremely dangerous, it still poses a significant threat. Attackers could impersonate Authy or Twilio, increasing the credibility of their phishing attacks targeting those numbers. Rachel Tobac, a social engineering expert and CEO of SocialProof Security, explained that hackers can now specifically target Authy users, making their malicious messages appear legitimate.
Twilio’s swift response to secure the unauthenticated access point and the recommendation to update Authy applications highlight their commitment to user security. It is crucial for users to follow these recommendations to protect their accounts and remain vigilant against possible phishing and smishing attacks.