Cybercriminals steal phone numbers of 33 million Authy users

Messaging service Twilio has announced that mobile phone numbers of users of its two-factor authentication app Authy have been stolen by cybercriminals. The announcement comes a week after cybercriminals claimed to have stolen 33 million phone numbers.

Security Alert: Update to the Authy Android (v25.1.0) and iOS App (v26.1.0) | Twilio
https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS

Twilio says hackers identified cell phone numbers of two-factor app Authy users | TechCrunch
https://techcrunch.com/2024/07/03/twilio-says-hackers-identified-cell-phone-numbers-of-two-factor-app-authy-users/

The attack was carried out by an attacker or group of attackers known as 'ShinyHunters,' who posted on a hacking forum that they had 'hacked Twilio and obtained the mobile phone numbers of 33 million users.'

Twilio initially said it had no confirmation that phone numbers had been compromised, but later updated its announcement page to acknowledge that 'data associated with Authy accounts, including phone numbers,' had been stolen.

According to Twilio, ShinyHunters exploited unauthenticated endpoints to access user data from Authy, a two-factor authentication app owned by the company, and, most worryingly, to identify user phone numbers. Twilio has since patched the vulnerability and taken steps to block unauthenticated requests.

In response to this incident, Twilio is urging all Authy users to update to the latest Android and iOS apps and to remain vigilant against phishing and smishing attacks (phishing via SMS).

This is not the first time Twilio has fallen victim to a cyberattack; in 2022, a cyberattack group gained access to the data of more than 100 of Twilio's corporate customers.

Social engineering expert SocialProof CEO Rachel Toback said, 'If an attacker can enumerate a list of users' phone numbers, they can pretend to be Authy or Twilio to the user, making phishing attacks against that phone number more credible,' warning of the risk of phone number theft.