What just happened? Twilio has confirmed that a hacker stole millions of phone numbers belonging to users of its popular two-factor authentication app Authy. The company added that the threat actors may use these pilfered numbers for phishing and smishing attacks on the associated Authy accounts.
Last week, a hacker or hackers known as ShinyHunters posted a message on a popular hacking forum claiming they had compromised Twilio and obtained 33 million phone numbers registered with the Authy service.
ShinyHunters posted a CSV text file containing the numbers onto the dark web, writes BleepingComputer. The file contains 33,420,546 rows, each containing an account ID, phone number, an "over_the_top" column, account status, and device count.
In a security alert published this week, Twilio reported detecting that threat actors had identified data associated with Authy accounts, including phone numbers, due to an unauthenticated API endpoint. It has since taken action to secure this endpoint and no longer allows unauthenticated requests.
BleepingComputer reports that threat actors gathered the Authy user data by entering a massive list of phone numbers into the unsecured API endpoint. Valid numbers would see the endpoint return information about the associated accounts registered with Authy.
Twilio also states that it has found no evidence of hackers gaining access to its systems or other sensitive data beyond the phone numbers. However, it is recommending as a precaution that Authy users update their Android and iOS apps for the latest security updates. The company has sincerely apologized for the incident.
This isn't the first major hacking incident Twilio has faced. It suffered data breaches in June 2022 and August 2022 after a group of hackers launched a phishing campaign that saw 10,000 employee credentials stolen from at least 130 companies.
As Twilio was one of the companies successfully targeted during that campaign, attackers were able to access data from 163 Twilio accounts. They were also able to access 93 Authy accounts and register additional devices to these accounts, which allowed them to steal users' two-factor authentication codes.