Twilio Urges Authy Users to Update Their Apps After Endpoint Breach

Highlights:

• While Authy accounts remain uncompromised, Twilio warns that threat actors may attempt to use associated phone numbers for phishing and smishing attacks.
• Users are encouraged to remain vigilant and verify the legitimacy of received texts.

Recently, a cloud communications provider, Twilio Inc., has been urging Authy users to update their apps following the exposure of data linked to Authy accounts through an unauthenticated endpoint by threat actors.

A week later, following a claim by well-known threat actor ShinyHunters of compromising Authy and posting a CSV file on BreachForums containing 33 million phone numbers registered with the service, Twilio Inc., which has owned Authy since 2015, has made this request. Authy is a two-factor authentication app that ensures secure access to online accounts with features such as multi-device support and encrypted backups.

Twilio issued a security alert on July 1, stating that it had secured the exposed endpoint and halted unauthenticated requests. The company also assured that there is “no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.” As a precaution, all Authy users are advised to update to the latest app version for improved security.

While Authy accounts remain uncompromised, Twilio cautions that threat actors could exploit associated phone numbers for phishing and smishing attacks. Users are advised to stay vigilant and scrutinize the legitimacy of any texts they receive.

Jason Kent, hacker in residence at API security and bot management company Cequence Security Inc., told a leading media house, “As the standard script for breaches in the API era, Twilio is next on stage. We have shown over and over that an API endpoint that accepts data and gives responses on that data needs to be covered with both Authentication and Authorization or someone will abuse the endpoint.”

Kent added, “If you are an Authy user, you are advised to understand that the MFA service for your account may be compromised. Any service using Authy as its MFA should take additional actions to ensure a SIM swap wasn’t recent on the account and ensure the end-user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t.”

Hackers have previously targeted Twilio. In August 2022, Twilio disclosed a cyberattack where employee credentials were stolen, granting hackers access to a “limited number” of customer accounts. Regrettably, the accessed information was used to intercept one-time passwords issued by Okta Inc.