Hackers managed to breach the Authy Android app database and were able to extract information linked to accounts, such as phone numbers, as per a security alert published on July 1 by Twilio, the developer of the app. The security notice clarified that the accounts themselves remained secure, indicating that the attackers did not access authentication credentials. However, the exposed phone numbers could potentially be utilized in future phishing and smishing attempts. To address this potential risk, Twilio advised Authy users to remain vigilant and exercise caution regarding the messages they receive.
Twilio’s security alert concerning the Authy data breach can be seen in the provided image from Twilio.
Authy is a popular choice among centralized exchange users for implementing two-factor authentication (2FA). This process involves generating a code on the user’s device, which the exchange might request before processing withdrawals, transfers, or other critical transactions. Authy serves as the default 2FA application for exchanges like Gemini and Crypto.com, while platforms such as Coinbase, Binance, and numerous others offer it as an alternative.
The breach occurred through an “unauthenticated endpoint,” according to the security alert. Steps have been taken to secure this endpoint, preventing any further unauthenticated requests within the app. Users are advised to update to the latest version of the application, which includes enhanced security features.
Twilio assured users that their authenticator codes remained secure and inaccessible to the attackers, thus safeguarding their exchange accounts. The company stated that there was no indication of the threat actors breaching Twilio’s systems or acquiring other sensitive data.
Reports suggest that the cybercriminal group ShinyHunters executed the hack, leaking a document containing approximately 33 million phone numbers registered with Authy. In a separate incident in 2021, the same group was linked to an AT&T data breach, which exposed data from over 51 million customers.
Authenticator apps were designed to combat SIM swap attacks, a form of social engineering where the attacker convinces a phone provider to transfer the user’s number to them. This access allows the attacker to intercept the user’s 2FA codes without physical possession of their device.
Despite the prevalence of such attacks, with some users continuing to receive 2FA codes via text messages rather than through an app, instances like the recent losses suffered by OKX users due to SIM swap attacks highlight the ongoing risks in the digital security landscape.