Twilio data breach gets a whole lot worse as it confirms hackers accessed Authy user phone numbers

For those unfamiliar with Authy, it is a popular multi-factor authentication (MFA) tool, which Twilio acquired back in 2015.

Impersonating Authy

Twilio spokesperson Kari Ramirez told TechCrunch the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email. 

Knowing which phone numbers are used for Authy opens up new ways for hackers to conduct phishing attacks and bypass their victims’ MFA. 

For example, cybercriminals could impersonate Authy and reach out to the users via SMS and have them share time-sensitive codes to access different accounts. 

“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, CEO of SocialProof Security, told the publication.

Twilio is a cloud communications platform designed for companies looking to integrate real-time communications into their software applications.

More from TechRadar Pro

• Microsoft SQL servers hijacked to deliver Cobalt Strike and ransomware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now