Hackers claimed last week to have stolen 33 million phone numbers from US messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” had also managed to identify phone numbers belonging to users of Authy, a popular two-factor authentication app owned by Twilio.
In a post on a popular hacking forum, the hackers known as ShinyHunters wrote that they had hacked Twilio to obtain the mobile phone numbers of 33 million users.
“We detected that an unauthenticated endpoint enabled threat actors to identify data associated with Authy accounts, including phone numbers. We have taken steps to secure this endpoint and no longer allow unauthenticated requests,” Twilio spokesperson Kari Ramirez told TechCrunch.
“We have not seen any evidence that the threat actors accessed Twilio systems or other sensitive data. As a precautionary measure, we urge all Authy users to update to the latest Android and iOS apps to apply the latest security updates, and we encourage them to remain vigilant and aware of phishing and smishing attacks,” Ramirez said in an email.
Twilio also published a warning on its website on Monday containing a similar statement.
While obtaining a list of phone numbers may not seem like the most dangerous aspect of a data breach, it can still pose a threat to the owners of those numbers.
“If an attacker can enumerate a list of users' phone numbers, they can pretend to be Authy/Twilio to the user, making a phishing attack against that phone number more credible,” Rachel Toback, social engineering expert and CEO of SocialProof Security, told TechCrunch.
Toback explained that hackers can now specifically target known Authy users, making their malicious messages appear as if they were genuinely coming from Authy and Twilio.
In 2022, Twilio suffered a larger data breach in which a group of hackers gained access to data from more than 100 enterprise customers. With that information in hand, the group launched a widespread phishing attack, stealing roughly 10,000 employee credentials from at least 130 companies. As part of that breach, Twilio said the group had successfully targeted 93 Authy users, registering additional devices to the victims' Authy accounts and stealing the actual two-factor authentication codes.