Hacker Exploits Authy API, 33 Million Users Affected
Recently, on an underground hacker forum, a hacker released a CSV file containing 33.42 million rows of data. Each row includes account IDs, phone numbers, account statuses, and the number of devices, sourced from the renowned multi-factor authenticator, Authy.
Authy is a widely recognized multi-factor authentication tool. During the era of Google Authenticator, when Google did not support data synchronization, Authy provided this feature, allowing users to display verification codes on multiple devices without fearing the loss of codes due to device loss.
Regarding this data breach, Authy’s developer, Twilio, has confirmed the authenticity of the leaked data. The breach wasn’t due to a successful hack of Authy itself, but rather the exploitation of an API endpoint lacking stringent authentication.
Through this method, hackers successfully matched 33,420,546 user records. Although user account passwords were not compromised, the exposure of phone numbers can lead to severe consequences, such as targeted phishing attacks.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.” reads a security update published by the company. “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”
With the knowledge of phone numbers, hackers can also gather target user information for more complex and troublesome SIM-swapping attacks. Although SIM-swapping attacks are difficult to execute, their success can result in immeasurable losses for the victims.
Unfortunately, since the data has already been leaked, there is no effective remedy. The best course of action for users might be to switch to another authenticator and disable Authy’s phone number login feature to prevent SIM-swapping attacks.
Via: TechCrunch
