If you use Authy, update your app immediately. Twilio, the messaging company that owns the two-factor authentication service, confirmed to TechnologyCrunch On Wednesday, hackers breached Twilio and acquired mobile phone numbers of 33 million users.
Twilio published a statement The attack is also confirmed on its website. “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint,” the statement reads. “We have taken steps to secure this endpoint and no longer allow unauthenticated requests.”
The company added that there was no evidence that hackers had accessed Twilio's systems or sensitive data, but it is essential to update to the latest version of the iOS and Android apps (on whatever device you use) as they include new security updates.
Twilio stressed that Authy accounts were not compromised. However, hackers (and anyone they share data with) could “attempt to use the phone number associated with Authy accounts to conduct phishing and smishing attacks.”
If you're not familiar with the term, smishing is the texting equivalent of phishing. So if you have an Authy account, be extra wary of unexpected text messages that appear to come from trusted sources, especially Authy or Twilio.
Rachel Tobac, social engineering expert and CEO of SocialProof Security, illustrated TechnologyCrunch “If attackers can enumerate a list of users’ phone numbers, they can impersonate Authy/Twilio to those users, increasing the credibility of a phishing attack on that phone number,” Tobac said.
“We encourage all Authy users to be diligent and more aware of the text messages they receive,” Twilio emphasized.
