Hackers steal millions of Authy 2FA phone numbers

[harlan4096]

Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy.

Authy is a popular security application to manage authentication codes for apps and online services. These add to the security of sign-ins, as the codes need to be entered in a second stage of authentication.

Here are the key points:

• A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers.
  
• The list was obtained through an improperly secured API endpoint.
  
• The attacker fed the API a large number of phone numbers to find out which were known to the Authy system.
  
• Attackers may use the phone numbers in SMS phishing or SIM swapping attacks.
  

Twilio, Authy's parent company, confirmed the authenticity of the data and the hack to Bleeping Computer.

The company revealed that it has secured the endpoint used in the attack. It furthermore released an update for Android and iOS as a precaution.

What affected users can do

Authy customers cannot look up if their phone number is included in the leak. There is no direct threat, as threat actors cannot do anything with the phone number alone.

Attacks are, however, possible:

• SMS attacks to get users to share authentication codes or download malware to their devices.
  
• SIM Swapping attacks, which require additional personal information. These involve the cellular provider of the victim.
  

The attackers could use online searches or other databases to link phone numbers to their owners.

The data in Authy is secure at this point. This is not the first incident, however. Back in 2022, Twilio confirmed that it suffered a data breach.

If this reminds you of LastPass, a password management service that suffered through a series of hacks and issues in the last couple of years, you are not totally mistaken.
...

Continue Reading