Twilio says hackers identified cell phone numbers of two-factor app Authy users

Date:

Share post:


Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.

In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.

Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email. 

Twilio also published an alert on its official website on Monday, including the same statement. 

While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.

“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.

Tobac explained that now hackers can specifically target people who they know are Authy users, giving the attackers a chance to make it look like their malicious messages really come from Authy and Twilio. 

In 2022, Twilio suffered a larger data breach, when a group of hackers accessed the data of more than 100 company customers. Armed with that information, the hackers then launched a wide-ranging phishing campaign which resulted in the theft of around 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said hackers successfully targeted 93 individual Authy users and were able to register additional devices on those victims’ Authy accounts, allowing them to effectively steal real two-factor codes.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Jake Paul vs Mike Tyson fight shows Netflix still struggles with live events

Viewers have been talking about Friday evening’s boxing match between Mike Tyson and Jake Paul — but...

Disgruntled X users make the switch to Bluesky

Welcome back to Week in Review. This week, we’re breaking down Bluesky’s big surge in users, Elon...

Best gifts for frequent travelers

What’s the best gift you can get someone? Why, the gift of travel, of course. The next...

TikTok parent ByteDance reportedly values itself at $300 billion

ByteDance, the Chinese company that owns TikTok, valued itself at $300 billion in a recent share buyback...

Botinkit’s robot wants to cook for you

Warehouses aren’t the only places grappling with a labor crunch. Since the start of the pandemic, restaurants...

SpaceX Starship: Everything you’ve ever wondered but were afraid to ask

SpaceX’s massive Starship rocket has the potential to transform the commercial space economy, ensure America’s position as...

T-Mobile hack linked to Chinese breaches of telecom networks

U.S. phone giant T-Mobile was hacked as part of a broad cyberattack on U.S. and international phone...

What a second Trump term means for the future of ransomware

The U.S. government has made big strides over the past four years in the ongoing fight against...