Last week, a hacker claimed to have stolen 33 million phone numbers from US messaging giant Twilio. On Tuesday, Twilio confirmed to JS that “threat actors” were able to identify the phone numbers of people using Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacker forum, the hacker(s) ShinyHunters wrote that they had hacked Twilio and obtained the mobile phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told JS that the company “discovered that threat actors were able to identify data associated with Authy accounts, including phone numbers, thanks to an unauthenticated endpoint. We have taken action to secure this endpoint and will no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors gained access to Twilio’s systems or other sensitive data. As a precaution, we ask all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to remain diligent and be more aware of phishing and smishing attacks,” Ramirez wrote in an email.
Twilio too a warning was published Monday on its official website, with the same statement.
While obtaining a list of phone numbers may not seem like the most dangerous data breach in itself, it can still pose a threat to the owners of those numbers.
“If attackers can enumerate a list of users' phone numbers, those attackers can impersonate those users as Authy/Twilio, increasing the credibility of a phishing attack on that phone number,” Rachel Tobac, a social engineering expert and CEO of SocialProof Security, told JS.
Tobac explained that hackers can now specifically target people they know are Authy users, allowing attackers to make it appear as if their malicious messages are actually coming from Authy and Twilio.
In 2022, Twilio suffered a larger data breach, when a group of hackers gained access to the credentials of more than 100 enterprise customers. Armed with that information, the hackers then launched an elaborate phishing campaign that resulted in the theft of approximately 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said hackers successfully targeted 93 individual Authy users and were able to register additional devices to those victims’ Authy accounts, effectively stealing real two-factor authentication credentials.