Authy data breach investigated

Thursday 11 July 2024 09:20 CET | News

Schubert Jonckheer & Kolbe LLP is investigating a data breach affecting 33.4 million Authy users, a multifactor authentication app by Twilio.


Authy is a multifactor authentication (MFA) mobile app developed by Twilio, a cloud communications company based in California. On 1 July 2024, Twilio confirmed that unauthorized third parties accessed and downloaded private data linked to Authy accounts, including phone numbers. This breach occurred due to a failure to authenticate an API endpoint.

In late June, a cybercrime group known as ShinyHunters leaked a text file claiming to contain 33.4 million private records of Authy users. The file reportedly included account IDs, phone numbers, account statuses, and device counts.

Reports indicate that the data was gathered by inputting a large list of phone numbers into the unsecured API endpoint. If a number was valid, the endpoint would provide information about the associated Authy accounts.


Twilio has stated that it does not believe other private data was compromised. However, the stolen phone numbers and related metadata could be used by hackers for phishing, smishing, and SIM swapping attacks. ShinyHunters has indicated that the stolen data could be combined with other information for further breaches, including those targeting cryptocurrency.

Additionally, Twilio customers may be at risk due to another data breach. Twilio has begun notifying affected customers that an unsecured Amazon Web Services' S3 bucket, managed by a third-party vendor, exposed SMS-related data sent through its networks.

Exposure of SMS data and privacy risk for users

This breach, involving IdentifyMobile, a downstream carrier of Twilio's backup carrier iBasis, publicly exposed message-related SMS data sent between 1 January 2024, and 15 May 2024. Twilio has informed customers that some data, including message bodies without login tokens and marketing campaigns, may have been exposed. It has not ruled out the possibility of personal data exposure.

Individuals whose private information was impacted by these incidents may be at risk of identity theft, financial fraud, and other privacy violations. They may be entitled to financial compensation and a court order mandating changes to Twilio's cybersecurity practices.

Schubert Jonckheer & Kolbe LLP represents shareholders, employees, and consumers in class actions against corporate defendants, as well as shareholders in derivative actions against corporate officers and directors. The firm is based in San Francisco and, with the assistance of co-counsel, litigates cases nationwide.

More: Link

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: data breaches, online security, identity theft, fraud management
Categories: Fraud & Financial Crime
Companies: Twilio
Countries: United States
This article is part of category

Fraud & Financial Crime


Discover all the Company news on Twilio and other articles related to Twilio in The Paypers News, Reports, and insights on the payments and fintech industry: