The infamous ShinyHunters hacking collective has claimed it stole 33 million phone numbers from Twilio, and the company has now revealed that the attackers were able to determine which of those phone numbers are used for its Authy service.
For those unfamiliar with Authy, it is a popular multi-factor authentication (MFA) tool, which Twilio acquired back in 2015.
Impersonating Authy
"Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint," a Twilio spokesperson told TechRadar Pro.
"We have taken action to secure this endpoint and no longer allow unauthenticated requests. We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks."
Knowing which phone numbers are used for Authy opens up new ways for hackers to conduct phishing attacks and bypass their victims’ MFA.
For example, cybercriminals could impersonate Authy and reach out to the users via SMS and have them share time-sensitive codes to access different accounts, which could be devastating without identity theft protection.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, CEO of SocialProof Security, told the publication.
Twilio is a cloud communications platform designed for companies looking to integrate real-time communications into their software applications.
More from TechRadar Pro
- Microsoft SQL servers hijacked to deliver Cobalt Strike and ransomware
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now
