July 3, 2024 at 12:48PM
An unsecured Twilio API endpoint allowed threat actors to access millions of Authy users’ phone numbers, potentially making them vulnerable to smishing and SIM swapping attacks. ShinyHunters leaked a CSV file with 33 million phone numbers. Twilio has secured the API and urged users to update their Authy apps for security. Users should also be vigilant against phishing attacks.
Based on the meeting notes, here are the key takeaways:
– Twilio, the company behind Authy, has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication users, potentially making them vulnerable to smishing and SIM swapping attacks.
– A threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service on a hacking forum, obtained through the unsecured API endpoint.
– Twilio has taken action to secure the unauthenticated API endpoint and has released new security updates for the Authy Android and iOS apps (v25.1.0 and v26.1.0) for user protection. They recommend all Authy users to update their apps for the latest security updates.
– Authy users are advised to configure their mobile accounts to block number transfers without providing a passcode or turning off security protections and to be vigilant against potential SMS phishing attacks that attempt to steal sensitive data, such as passwords.
These takeaways reflect the current security situation with Authy and the measures being taken to mitigate the potential risks for users.