- 2FA app Authy breach exposes 33 million phone numbers, putting them at risk for phishing attacks
- No accounts have been compromised to date.
- Twilio has already secured endpoints and improved app security.
On July 1, 2024, Twilio, the developer of the popular two-factor authentication (2FA) app Authy, disclosed a data breach affecting user phone numbers.
Although the account itself is not compromised, exposing your phone number poses a serious risk of phishing and smishing attacks.
Details on the Authy data breach
According to a security alert issued by Twilio, hackers were found to have accessed the Authy Android app database via an “unauthenticated endpoint.”
This breach allowed the attackers to identify data associated with user accounts, including phone numbers.
Despite this, Twilio has assured that user accounts were not compromised and authentication credentials remain secure.
However, exposed phone numbers can be exploited for phishing and smishing attacks, so Twilio urges users to be cautious and cautious if they receive suspicious text messages.
Authy, widely used for 2FA on centralized exchanges like Gemini and Crypto.com, generates codes on users’ devices to secure access to sensitive operations like withdrawals and transfers. Coinbase and Binance also allow this app as an option. It is often compared to Google Authenticator and serves a similar purpose in enhancing digital security.
Since the breach, Twilio has released updated versions of its apps that protect compromised endpoints and improve security measures. The company stressed that there is no evidence that the attackers accessed Twilio’s systems or other sensitive data.
Implications of a 2FA App Security Breach
The Authy breach highlights the ongoing threat posed by cybercrime groups like ShinyHunters.
ShinyHunters, known for massive breaches including the 2021 AT&T data breach (affecting 51 million customers), has leaked a text file containing 33 million phone numbers registered with Authy.
This breach highlights the fact that even the most trusted security applications have vulnerabilities.
Authenticator apps like Authy and Google Authenticator were developed to combat SIM swap attacks, a widespread social engineering tactic whereby attackers trick phone companies into sending the user’s phone number to the attacker, who then receives 2FA codes intended for legitimate users.
Despite the security benefits of these apps, recent breaches show that no system is completely secure.
To mitigate the risks associated with these breaches, users are encouraged to adopt multi-layered security measures, including regularly updating their authenticator apps, enabling app-based 2FA rather than SMS-based 2FA, and remaining vigilant against phishing attempts.
Users may also consider using a hardware security key for an added layer of protection.