Authy API Exploit Allowed Threat Actors to Verify 33 Million Phone Numbers

Twilio detected an API abuse that allowed threat actors to verify the existence of 33 million phone numbers linked to Authy accounts. The issue stemmed from an unauthenticated endpoint that has since been secured by the company.

Authy, a widely used two-factor authentication (2FA) application owned by Twilio, helps secure user accounts by requiring a second form of authentication beyond just passwords. The application's reliance on phone numbers for account recovery and verification was exploited in this incident, putting millions of users at potential risk.

The incident came to light following a forum post on BreachForums by the notorious threat actor and data broker ‘ShinyHunters' on June 27, 2024. The post included a sample of data extracted from the exploited endpoint, showcasing phone numbers linked to Authy accounts. This prompted Twilio to investigate and confirm the vulnerability.

Twilio quickly addressed the issue by securing the vulnerable endpoint to prevent any further unauthorized access. The company reassured users that there is no evidence of threat actors accessing Twilio's internal systems or other sensitive data. However, they cautioned that the exposed phone numbers could potentially be used for phishing and smishing attacks.

Upgrade to the latest Authy

Twilio has urged all Authy users to update their Android and iOS apps to the latest versions (v25.1.0 for Android and v26.1.0 for iOS), which include critical security updates and bug fixes. This update is designed to mitigate any further risks associated with the identified vulnerability.

To help users protect themselves, Twilio has provided the following recommendations:

• Ensure that you are using the latest version of the Authy app to benefit from the latest security enhancements.
• Users should be extra cautious about any unusual texts or messages they receive, as threat actors may attempt to exploit the exposed phone numbers for phishing or smishing.
• If you notice any suspicious activity related to your Authy account, contact Authy support immediately for assistance.

Twilio's Security Incident Response Team is monitoring the situation closely and will provide updates if there are any new developments. Users with further questions are encouraged to reach out to their Technical Account Manager or the Twilio Support team.

The exposure of Authy-linked phone numbers is concerning, but the severity is mitigated by the fact that no sensitive account information or internal Twilio systems were compromised.

The primary risk for Authy users is the potential for increased phishing and smishing attempts, where threat actors might use verified phone numbers to craft convincing fraudulent messages. Users must be cautious and verify the authenticity of any communication they receive, especially those requesting personal information or login credentials.