Twilio confirms hackers accessed Authy user phone numbers

At the end of June, hackers claimed to have stolen 33 million phone numbers from Twilio, a major U.S. messaging company. Last week, Twilio confirmed the breach, revealing that threat actors had managed to identify phone numbers belonging to users of Authy, the popular two-factor authentication app owned by Twilio.

The hacker group known as ShinyHunters took responsibility for the breach in a post on a well-known hacking forum. They claimed to have accessed the phone numbers of 33 million users and subsequently identified Authy customers’ phone numbers and other data through an unauthenticated endpoint, which has since been secured.

Twilio spokesperson Kari Ramirez stated there is no indication of further breaches of Twilio’s systems or sensitive data. However, Authy users are advised to immediately update the app to the latest versions on Android and iOS to mitigate potential risks. Twilio’s statement emphasized their commitment to security, saying: “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint […] We know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened.”

Despite the lack of evidence suggesting that hackers accessed other parts of Twilio’s systems or sensitive data, the company insists on updating the latest app versions, which contain new security updates. Investigations are ongoing.

This breach is not Twilio’s first encounter with cyber threats. In 2022, a significant data breach occurred when hackers accessed data from over 100 commercial customers. This breach involved a phishing campaign that led to the theft of around 10,000 employee credentials from at least 130 companies. During that incident, hackers targeted 93 individual Authy users and registered additional devices on their accounts, enabling them to steal two-factor authentication codes. Such attacks highlight the limitations of two-factor authentication and underscore the importance of using more advanced multi-factor authentication (MFA) methods.

In a statement shared with teiss on 11 July 2024, the company also said: "Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests. 

We have seen no evidence that the threat actors breached Twilio’s systems or that they obtained access to Twilio’s systems or other sensitive internal data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.”