Jul 4, 2024 at 11:53 PM Recent hack exposes 33 million Authy users' phone numbers, raising phishing concerns
A recent hack has exposed the phone numbers of approximately 33 million Authy users, raising concerns about potential phishing attacks. Twilio, the company behind Authy, confirmed the breach, which occurred through an unauthenticated endpoint. This vulnerability allowed threat actors to access phone numbers associated with Authy accounts.
Twilio emphasized that Authy accounts themselves were not compromised, but the exposed phone numbers could be exploited for phishing and smishing attacks. The company has since secured the vulnerable endpoint and no longer permits unauthenticated requests. Users are advised to update their Authy apps to the latest versions on both Android and iOS to receive the latest security patches.
Twilio reassured users that there is no evidence suggesting the threat actors accessed Twilio’s systems or other sensitive data beyond the phone numbers. The company is actively monitoring the situation and recommends users remain vigilant regarding suspicious text messages. For users encountering issues accessing their Authy accounts, Twilio urges them to contact their support team immediately.
- Authenticator
- Free • Proprietary
Related news
External links
- Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0)Twilio • Official source
- Twilio says hackers identified cell phone numbers of two-factor app Authy usersTechCrunch
- DATA BREACHESTwilio Confirms Data Breach After Hackers Leak 33M Authy User Phone NumbersSecurity Week
- Authy hacked, 33 million phone numbers stolenAppleInsider
- Authy hack exposes phone numbers of 33M users; Twilio confirms9to5Mac
Comments
Don't forget to do backups (they're encrypted)
Bitwarden you don't need a sign in, unlike Ente. And Ente is based in India, where they have horrible privacy policies and history.
At the end of the day, it is open source, end to end encrypted and has been audited from a third party
Exactly
That's what I'm planning... but they don't make it easy to export my tokens.
That's why you should avoid Authy ^^
Why use any of that, I use LogMeOnce and its super easy. I don't even need to type anything or click anything, it just automatically detects the login field, fills in the details alongside a generated 2FA code and click the "Log In" button. Or if I have multiple accounts it just shows a easy popup menu asking for the account I would like to use. I click the one and it fills out everything and logs in. Very good for people without phones, still good for people with phones.
Sounds like any good password manager, like Bitwarden. The difference is the one you try to promote is comically bad, I can tell this just by looking at their website.
It's not open source and based in US.
LogMeOnce is a password manager, not an authenticator, isn't it? It says you have to pay to use something other than Google Authenticator with it for 2fa protection.
@K0RR, yes the website is really bad, looks old, colours are applied incorrectly and images look like bad quality stock images. But I can say I like the extension a lot. Also I am not promoting anything Im just saying I like it so dont take me bad @SamLander, I am not talking about using 2FA to log in to logmeonce, I am talking about logmeonce generating authentication codes for login. @BigBrotherIsWatching, Authy is also not properly open source, and also based in US (or at least, twilio is based in US)