Millions of Phone Numbers Exposed in Twilio’s Authy Breach

Twilio Authy LogoIn a security alert posted on July 1, 2024, cloud communications provider Twilio revealed that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts – including users’ cell phone numbers.  The company indicated that the endpoint in question was no longer accepting unauthenticated requests.  

While the published alert does indicate that no further breaches were identified and that no other sensitive data was compromised.  Out of an abundance of caution, Twilio is urging users to upgrade their Android (version 25.1.0 or later) and IOS (version 26.1.0 or later) applications to the latest version.

The security alert came just days after online persona ShinyHunters published a database containing 33 million phone numbers to BreachForums.  The phone numbers were allegedly pulled from Authy accounts.

Authy is a very popular two-factor (2FA) application for Android and IOS.  It been owned by Twilio since 2015.  

Threat actors may attempt to use the phone numbers associated with Authy accounts for phishing or smishing attacks.  User should use caution and have heightened awareness when being contacted by unknown individuals, or by individuals claiming to be from Authy or Twilio, by phone or by text.

Worried about cybersecurity risks to your company?  Contact us today and let’s start a conversation.