Skip to content

Twilio Authy breach leaks data of 33 million users

  • by
  • 2 min read

Illustration: Supimol Kumying | Shutterstock

A data breach at Twilio resulted in hackers leaking nearly 33 million phone numbers associated with the Twilio-owned two-factor authentication app Authy. ShinyHunter hackers announced the breach on the recently relaunched BreachForums last month.

Twilio has since confirmed the breach but hasn’t commented on the number of users affected. The company’s statement reads that “threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint.”

The compromised endpoint has since been secured, and Twilio claims there’s no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. The company has also released updated versions of the Android and iOS Authy apps and urged users to update their installations as soon as possible

Knowing which numbers are used for Authy also enables attackers to discover new ways to bypass any multi-factor authentication systems the victims might use. Attackers can also impersonate Twilio or Authy, increasing the legitimacy of any attempted phishing or smishing attacks.

The company maintains that Authy accounts aren’t compromised.

However, threat actors might use the compromised numbers to carry out phishing and smishing attacks. Twilio has asked Authy users to “stay diligent and have heightened awareness around the texts they are receiving.”

Mere phone numbers getting leaked might not seem like that big of a deal, but it can cause a lot of trouble for the owners. In 2022, Twilio suffered a similar breach in which threat actors gained access to data from over 100 company customers. This data was then used to carry out phishing attacks, which resulted in over 10,000 employees from at least 130 companies getting their credentials stolen, including two-factor codes.

In the News: Researchers catch Mekotio Banking Trojan attacking Latin America

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>