Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that threat actors were able to identify the phone numbers of people who use Authy, a popular two-factor authentication app owned by Twilio. The breach occurred through an unauthenticated endpoint that has since been secured by Twilio to prevent further unauthorized access.
In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users. This revelation has raised significant security concerns among Authy users, as their phone numbers could potentially be used in targeted phishing attacks.
Twilio spokesperson Kari Ramirez told TechCrunch that the company has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers. Ramirez emphasized that Twilio has not found evidence that the attackers accessed other sensitive data within Twilio’s systems. As a precaution, Twilio is urging all Authy users to update to the latest Android and iOS apps to ensure they have the latest security updates and to stay alert for potential phishing and smishing attacks.
Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, explained that with a list of phone numbers, hackers can now specifically target Authy users. This increases the believability of malicious messages appearing to come from Authy or Twilio, thereby heightening the risk of successful phishing attacks. Twilio has published an alert on its official website and is working to ensure users are aware of the situation and take necessary precautions.
