Last week, a hacker claimed to have stolen 33 million phone numbers from US messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone numbers of people using Authy, a popular two-factor authentication app owned by Twilio.
In a post on a popular hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the mobile phone numbers of 33 million users.
Twilio spokesperson Carrie Ramirez told TechCrunch that the company “discovered that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and are no longer allowing unauthenticated requests.”
“We have not seen any evidence that threat actors have gained access to Twilio systems or other sensitive data. As a precaution, we are asking all Authy users to update to the latest Android and iOS apps to get the latest security updates and we encourage all Authy users to remain diligent and increase awareness about phishing and SMS attacks,” Ramirez wrote in an email.
Twilio too Post an alert The Authority published the same statement on its official website today, Monday.
call us
Do you have more information about this Twilio/Authy incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.
While obtaining a list of phone numbers may not seem like the most serious data breach in itself, it can still pose a threat to the owners of those numbers.
“If attackers are able to enumerate a list of user phone numbers, these attackers can pretend to be Authy/Twilio to those users, increasing the credibility of the phishing attack on that phone number,” Rachel Tobac, a social engineering expert and CEO of SocialProof Security, told TechCrunch.
Toback explained that hackers are now able to target people they know are Authy users, giving attackers the opportunity to make their malicious messages appear to actually come from Authy and Twilio.
In 2022, Twilio suffered a larger data breach, when a group of hackers gained access to data from more than 100 of the company’s customers. The hackers then launched a massive phishing campaign that resulted in the theft of approximately 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said the hackers successfully targeted 93 individual Authy users and were able to register additional devices to those victims’ Authy accounts, effectively allowing them to steal authentic two-factor codes.
Updated at 12:52 PM ET: This story has been corrected to clarify that the 2022 Twilio breach is not directly related to the phishing campaign that resulted in the theft of approximately 10,000 employee credentials from multiple companies. Both attacks were allegedly carried out by the same threat actors.