Twilio says personification has obtained telephone numbers associated pinch its two-factor authentication work (2FA), Authy, arsenic reported earlier by TechCrunch. In a security alert connected Monday, Twilio warns that nan “threat actors” whitethorn effort to usage nan stolen telephone numbers to transportation retired phishing attacks and different scams.
The incident follows a 2022 data breach that occurred aft a phishing run tricked labor into disclosing their login credentials. The attackers accessed data from 163 Twilio accounts and managed to entree and registry further devices connected 93 Authy accounts.
Twilio traced this leak backmost to “an unauthenticated endpoint” that it has since secured. Last week, nan threat character ShinyHunters published a list of 33 cardinal telephone numbers from Authy accounts connected nan acheronian web. As pointed retired by BleepingComputer, nan threat character seems to person obtained nan accusation by inputting a monolithic database of telephone numbers into Authy’s unsecured API endpoint, which would past verify whether they’re associated pinch nan app.
“We promote each Authy users to enactment diligent and person heightened consciousness astir nan texts they are receiving,” Twilio writes. It adds that it “has seen nary grounds that nan threat actors obtained entree to Twilio’s systems aliases different delicate data” and that Authy accounts weren’t compromised. Twilio is advising users to update their Authy apps connected Android and iOS (the Authy desktop app has been discontinued).