Qoinix

33 million Authy users exposed in authentication app’s own security nightmare

A hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. The company confirmed to CyberGuy that threat actors got access to the data associated with its Authy two-factor authentication service.

Obtaining a list of phone numbers alone is not the biggest cyberattack, but it could still pose a threat to the owners of those numbers. 

Hackers may use these numbers to launch phishing attacks, send spam text messages or attempt SIM swapping. Twilio has since patched its app to avoid future security incidents and has also cautioned users.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

On July 3, the hacker group known as ShinyHunters reportedly took to a hacking forum to boast about stealing 33 million cellphone numbers. Twilio said that the incident was “not a hack or breach” but rather the threat actors exploiting an “unauthenticated endpoint.” In simple terms, hackers exploited a specific part of Twilio’s system that didn’t require authentication.

The U.S. messaging giant confirmed that hackers were able to identify data associated with Authy accounts, including phone numbers, but did not specify how many accounts were affected. The company stated that there is no evidence indicating that the hackers gained access to Twilio’s systems or other sensitive data.

Twilio provided this statement to CyberGuy: “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.”

GET FOX BUSINESS ON THE GO BY CLICKING HERE

ANDROID USERS AT RISK AS BANKING TROJAN TARGETS MORE APPS

If you’ve been affected by the Twilio security incident, the first thing you need to do is download the latest version of the Authy app. Twilio has released a new version of the app that includes bug fixes and security updates. Android users can update the app from the Play Store, and iPhone users can head to the App Store.

You also need to be cautious of phishing attacks. While your Authy account itself is safe, hackers might use the phone number linked to your account to try some phishing tricks. This means they could contact you pretending to be from Authy or Twilio to trick you into giving away personal information.

ANDROID BANKING TROJAN MASQUERADES AS GOOGLE PLAY TO STEAL YOUR DATA

While hackers can misuse your personal information in various ways, there are several steps you can take to prevent harm.

1. Have strong antivirus software: Android has its own built-in malware protection called Play Protect, but it’s not enough to stop all malicious software. Historically, Play Protect hasn’t been 100% foolproof at removing all known malware from Android phones. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Use an identity theft protection service: Identity theft companies can monitor personal information like your Social Security Number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

CLICK HERE FOR MORE U.S. NEWS

One of the best parts of using some services is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white-glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft.

3. Invest in data removal services: While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Remove your personal data from the internet with my top picks here.

4. Use multifactor authentication: Enable two-factor authentication on your important accounts to add an extra layer of security beyond a password. This requires a second step, like a code sent to your phone, to log in.

5. Use a VPN: Consider using a VPN to protect against being tracked and to identify your potential location on websites that you visit. Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location. For the best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices.

HOW TO OUTSMART CRIMINAL HACKERS BY LOCKING THEM OUT OF YOUR DIGITAL ACCOUNTS

Authy is a two-factor authentication service that users trust, but a security lapse in its system reminds users that no service is foolproof. The service maker maintains that hackers do not have access to Authy accounts, which is a relief. Companies should invest more in security infrastructure to ensure that their customers’ sensitive data does not get compromised so easily.

How do you think companies should improve their security measures to prevent incidents like the Twilio security incident? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

Copyright 2024 CyberGuy.com. All rights reserved.

Stay Connected
Latest News