Hackers managed to infiltrate the database of the Authy Android app, developed by Twilio, and were able to access data related to user accounts, including phone numbers, according to a security alert posted on July 1. However, the post clarified that the accounts themselves were not compromised, indicating that the attackers did not obtain authentication credentials. Nevertheless, the exposed phone numbers could potentially be used for phishing and smishing attacks in the future. In light of this risk, Twilio urged Authy users to remain vigilant and exercise caution when receiving text messages.
Authy is widely used by users of centralized exchanges for two-factor authentication (2FA), where it generates a code on the user’s device that the exchange requires before authorizing withdrawals, transfers, or other sensitive actions. Both Gemini and Crypto.com utilize Authy as their default 2FA app, while Coinbase, Binance, and numerous other exchanges offer it as an option. Authy is often compared to Google’s Authenticator app, which serves a similar purpose and is a competitor.
The attacker gained access through an unauthenticated endpoint, as stated in the post. The development team has since secured this endpoint, and the app no longer accepts unauthenticated requests. Users are encouraged to update to the latest version of the app, which includes enhanced security measures.
Twilio reassured users that their authenticator codes have not been compromised, meaning the attackers should not be able to access their exchange accounts. The company stated that there is no evidence to suggest that the threat actors gained access to Twilio’s systems or other sensitive data.
According to a report by Seeking Alpha, the ShinyHunters cybercriminal group was responsible for the hack and purportedly leaked a text file containing 33 million phone numbers registered with Authy. In 2021, the same criminal group was linked to an AT&T data breach that resulted in the release of data belonging to 51 million customers, as reported by cybersecurity blog Restoreprivacy.
Authenticator apps were designed to counter SIM swap attacks, a type of social engineering scam that involves convincing a phone company to transfer a user’s phone number to the attacker. Once the attacker gains control of the user’s phone account, they can receive the user’s 2FA codes without physically possessing their phone. These attacks are still prevalent today, particularly among users who receive 2FA codes via text messaging instead of using an app. On June 12, blockchain security firm SlowMist reported that millions of dollars had recently been lost by OKX users due to SIM swap attacks.
Magazine: Crypto-Sec: Hedera users targeted by phishing scammer, address poisoner obtains $70,000.