2 min Security

API endpoint of 2FA app Authy abused to obtain millions of phone numbers

API endpoint of 2FA app Authy abused to obtain millions of phone numbers

Users of 2FA code generator Authy should update this app to the latest version as soon as possible. Due to an unsecured API endpoint, hackers managed to get hold of, or rather verify, the phone credentials of millions of users of the two-factor authentication app.

The advice comes from Twilio, producer of the similarly named messaging and communication platform. It has owned Authy since 2015. In June, threat group ShinyHunters leaked a CSV file containing 33 million phone numbers on their self-run illegal marketplace, BreachForums.

The group claimed this data came from Authy. The owners of the phone numbers can now expect phishing attempts, SIM swapping, and other scams and thefts, if they’re unlucky.

Huge amount of numbers entered into API endpoint

According to BleepingComputer, the hackers compiled the list by entering a huge amount of previously captured phone numbers through the unsecured API endpoint. All valid numbers then returned information about the linked Authy accounts. So technically, it is not a theft via Authy, but a verification of linked phone numbers. Where the numbers originally came from is as yet unclear.

In a security update, Twilio reports that they adequately secured the exposed endpoint and can stop unauthenticated requests, should they occur. There were reportedly no attempts to log in using stolen credentials. The latest versions of Authy are v25.1.0 on Android and v26.1.0 on iOS. It’s not clear how updating the app helps against phishing and smishing attacks. In any case, Twilio may be thinking: better safe than sorry.

Damage control

In addition to the above leak, Twilio is also doing its best to mitigate potential damage after an unsecured AWS S3 bucket from a third party was found to expose SMS data to the internet that was initially sent through Twilio systems.

This is not the first time Twilio has faced a cyberattack. In August 2022, criminals accessed customer data by tricking company employees through phishing messages. They then received text messages saying their passwords had expired. However, the link in the text messages sent them to a malicious website. A consequence of this breach was that the captured data was used to intercept one-time passwords from Twilio and Authy users with Okta accounts.

Also read: Ticketmaster incident shows: attackers no longer break in, but log in