The recent data breach affecting Twilio may have taken a rather unfortunate extra turn after new reports claim the hackers can single out Authy users from the archives.
The infamous ShinyHunters hacking collective recently said it stole 33 million phone numbers from Twilio, and the company has now revealed that the attackers were able to determine which of those phone numbers are used for its Authy service.
For those unfamiliar with Authy, it is a popular multi-factor authentication (MFA) tool, which Twilio acquired back in 2015.
Impersonating Authy
Twilio spokesperson Kari Ramirez told TechCrunch the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Knowing which phone numbers are used for Authy opens up new ways for hackers to conduct phishing attacks and bypass their victims’ MFA.
For example, cybercriminals could impersonate Authy and reach out to the users via SMS and have them share time-sensitive codes to access different accounts.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, CEO of SocialProof Security, told the publication.
Twilio is a cloud communications platform designed for companies looking to integrate real-time communications into their software applications.
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews