- The 2FA app Authy breach exposed 33 million phone numbers, posing phishing attack risks.
- No accounts have been compromised yet.
- Twilio has already secured the endpoint and improved app security.
On July 1, 2024, Twilio, the developer behind the popular two-factor authentication (2FA) app Authy, disclosed a data breach affecting user phone numbers.
While the accounts themselves were not compromised, the exposure of phone numbers poses a significant risk of phishing and smishing attacks.
Details of the Authy data breach
In a security alert issued by Twilio, it was revealed that hackers had gained access to the Authy Android app database through an “unauthenticated endpoint.”
The breach allowed attackers to identify data associated with user accounts, including phone numbers.
Despite this, Twilio assured users that their accounts were not compromised and that authentication credentials remained secure.
However, the exposed phone numbers could be exploited for phishing and smishing attacks, prompting Twilio to urge users to remain cautious and aware of suspicious texts they might receive.
Authy, widely used by centralized exchanges like Gemini and Crypto.com for 2FA, generates codes on user devices for secure access to sensitive tasks such as withdrawals and transfers. Coinbase and Binance also allow the app as an option. It is often compared to Google Authenticator, serving a similar purpose in enhancing digital security.
Following the breach, Twilio secured the compromised endpoint and released an updated app version with improved security measures. The company emphasized that there was no evidence of attackers gaining access to Twilio’s systems or other sensitive data.
Implications of the 2FA app security breach
The Authy breach underscores the persistent threat posed by cybercriminal groups like ShinyHunters, reportedly responsible for the attack.
Known for high-profile breaches, including the 2021 AT&T data breach affecting 51 million customers, ShinyHunters leaked a text file containing 33 million phone numbers registered with Authy.
This breach serves as a stark reminder of the vulnerabilities in even the most trusted security applications.
Authenticator apps like Authy and Google Authenticator were developed to counter SIM swap attacks — a prevalent social engineering tactic where attackers trick phone companies into transferring a user’s phone number to the attacker. This allows them to receive 2FA codes intended for the legitimate user.
Despite these apps’ security advantages, this recent breach highlights that no system is entirely foolproof.
To mitigate the risks associated with such breaches, users are advised to adopt multi-layered security measures. This includes regularly updating authentication apps, enabling app-based rather than SMS-based 2FA, and remaining vigilant against phishing attempts.
Additionally, users could consider using hardware security keys for an added layer of protection.
