Twilio Reports Hackers Accessing Mobile Numbers Linked to Two-Factor Authentication App Authy

Recently, it came to light that a cybercriminal claimed responsibility for pilfering 33 million contact numbers from the communications titan Twilio in the United States. Twilio, addressing the allegations on Tuesday to TechCrunch, acknowledged that “threat actors” successfully pinpointed the contact details linked to users of Authy, Twilio’s widely utilized two-factor authentication app.

The cyber culprit or group, identified as ShinyHunters, boasted on a notorious cybercrime forum about infiltrating Twilio and seizing the mobile numbers of 33 million individuals.

Speaking to TechCrunch, Twilio’s representative, Kari Ramirez, revealed that the firm had “identified that threat actors had managed to access data connected to Authy accounts, which includes phone numbers, through an unprotected endpoint. Immediate measures have been taken to fortify this endpoint against unauthorized access.”

“Our investigations haven’t found any indications that the malicious parties gained entry to Twilio’s internal systems or procured other types of sensitive information. However, as a preventive step, we’re advising all users of Authy to upgrade to the most recent versions of our Android and iOS applications to benefit from the latest enhancements in security. Additionally, we implore Authy users to remain vigilant against phishing and smishing schemes,” Ramirez elaborated in a correspondence.

Moreover, Twilio issued a warning on its official portal this Monday, sharing a similar advisory.

While the mere acquisition of a slew of phone numbers might not seem exceedingly perilous, it nonetheless represents a significant risk to those individuals.

Rachel Tobac, a social engineering authority and CEO of SocialProof Security, conveyed to TechCrunch, “Should cybercriminals compile a database of users’ contact numbers, it arms them with the ability to masquerade as Authy/Twilio, enhancing credibility in potential phishing attempts directed at those numbers.”

Tobac further underscored that with knowledge of specific targets being Authy clients, malefactors are better equipped to dispatch deceitful communications that convincingly appear to be sent from Authy or Twilio.

In 2022, Twilio fell victim to a more extensive data violation when hackers infiltrated the data sphere of over 100 client companies. This breach enabled the attackers to execute a broad phishing operation, culminating in the pilferage of approximately 10,000 credentials of employees from upwards of 130 firms. In the wake of this incident, Twilio disclosed that perpetrators had precisely targeted 93 Authy account holders, succeeding in linking additional devices to the compromised accounts. This maneuver allowed them unfettered access to genuine two-factor authentication codes.

UPDATE, 12:52 p.m. ET: This article has been updated for clarity to denote that the larger data breach experienced by Twilio in 2022 and the phishing expedition that led to significant credential theft were allegedly orchestrated by the same group of cyber adversaries.