Twilio Confirms Attackers Identified Authy Phone Numbers, Urges Users to Update App

In a recent statement, Twilio, the owner of the popular two-factor authentication (2FA) service Authy, revealed that attackers were able to link phone numbers to specific Authy accounts. This announcement comes a week after hackers claimed to have stolen 33 million Authy phone numbers, raising concerns about the security of user data.

According to Twilio, the attackers exploited an unauthenticated endpoint to access data associated with Authy accounts, including phone numbers. The company has since taken steps to secure the endpoint and prevent unauthorized access. While Twilio maintains that there is no evidence of the attackers gaining access to sensitive data within their systems, they urge users to remain vigilant against potential phishing and smishing attacks using stolen phone numbers.

To mitigate the risk, Twilio advises all Authy users to update their app to the latest versions on Android and iOS devices. Additionally, the company announced that its 2FA desktop app will no longer be available for Windows, MacOS, and Linux users, prompting customers to switch to mobile apps and backup their tokens across devices.

The perpetrators behind the attack, known as ShinyHunters, have been linked to other high-profile breaches involving companies like Santander and Ticketmaster. Twilio’s history of data breaches, including a phishing incident in 2022, underscores the importance of maintaining strong security measures to protect user information.

As the investigation into the Authy breach continues, users are advised to exercise caution and report any suspicious activity to Twilio. Stay tuned for updates on this developing story.