Twilio breach leaks over 30 million Authy-linked phone numbers

This is Authy's second breach in two years

Summary

Authy is a 2FA app that recently suffered a data breach that exposed more than 33 million phone numbers.
An unsecured API endpoint allowed threat actors to collect linked numbers.
If you think your personal information might be among the 33 million leaked numbers, consider securing your accounts with 2FA and be wary of SMS phishing attacks.

30 comments

consider securing your accounts with 2FA
But authy is the 2FA - what should their users be doing?
- Not using cloud based 2fa which is dumb to begin with
  
  Okay but they're already using it so its a bit late for that.

Avoid using services that ask for your phone number, for your own good.
- Unfortunately all of them do, and if you don't give it to them they won't let you sign up
  
  Is there a service that can't be used without a phone number and has no alternative?

The real important reminder here is that you should never use SMS as your 2FA delivery method. Phone numbers aren't private and once associated with an account it's far too easy to spoof/sim swap and intercept the code.
- Someone needs to convince US Banks of this
  
  That shit drives me nuts. Wanna be trusted with my life savings, but they can't be bothered to implement modern security features until they're already being phased out. I don't know what will replace modern 2FA schemes, but I guarantee banks will adopt the current ones about three years after the replacements become standard.
  Also, they're charging you a poor tax for not having enough money, whether that's a minimum balance or just accidentally spending a nickel more than you had on hand.

Just moved all my 2FA over to Bitwarden and Bitwarden Authenticator, and deleted my Authy account. I'd already been using it for passwords, so it was a natural fit.

Twilio has a really cool API that lets you resolve phone numbers to what carrier and if it's been ported.
Shame to see they got pwned.

30 comments