Authy is a multifactor authentication (MFA) mobile app developed by Twilio, a cloud communications company based in California. On 1 July 2024, Twilio confirmed that unauthorized third parties accessed and downloaded private data linked to Authy accounts, including phone numbers. This breach occurred due to a failure to authenticate an API endpoint.
In late June, a cybercrime group known as ShinyHunters leaked a text file claiming to contain 33.4 million private records of Authy users. The file reportedly included account IDs, phone numbers, account statuses, and device counts.
Reports indicate that the data was gathered by inputting a large list of phone numbers into the unsecured API endpoint. If a number was valid, the endpoint would provide information about the associated Authy accounts.
Twilio has stated that it does not believe other private data was compromised. However, the stolen phone numbers and related metadata could be used by hackers for phishing, smishing, and SIM swapping attacks. ShinyHunters has indicated that the stolen data could be combined with other information for further breaches, including those targeting cryptocurrency.
Additionally, Twilio customers may be at risk due to another data breach. Twilio has begun notifying affected customers that an unsecured Amazon Web Services' S3 bucket, managed by a third-party vendor, exposed SMS-related data sent through its networks.
Exposure of SMS data and privacy risk for users
This breach, involving IdentifyMobile, a downstream carrier of Twilio's backup carrier iBasis, publicly exposed message-related SMS data sent between 1 January 2024, and 15 May 2024. Twilio has informed customers that some data, including message bodies without login tokens and marketing campaigns, may have been exposed. It has not ruled out the possibility of personal data exposure.
Individuals whose private information was impacted by these incidents may be at risk of identity theft, financial fraud, and other privacy violations. They may be entitled to financial compensation and a court order mandating changes to Twilio's cybersecurity practices.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now