Millions of cell numbers are stolen after a popular iOS/Android 2FA app is hacked

10comments
Millions of cell numbers are stolen after a popular iOS/Android 2FA app is hacked
Twilio's Authy app for both iOS and Android, designed to make it easier for users to request two-factor authentication (2FA) when signing into an app, ironically has been hacked resulting in the theft of customer smartphone numbers. In a blog post, Authy wrote, "Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests."
Twilio requests that all Authy users update to the latest iOS or Android versions of the app in order to install the latest security updates. Twilio adds, "While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.

Two-factor authentication (2FA) requires the use of a second layer of protection when signing into an app. For example, after signing into an app you receive an SMS on your phone containing a code that you need to type in to open the app. This prevents an attacker from opening one of your apps and getting into your account, changing your password, and robbing you blind. Right now, Twilio says that the customer data stolen in the hack was limited to phone numbers.


Twilio is blaming the use of "unauthenticated endpoints" for the successful hack and notes that it has taken action to secure this endpoint and "no longer allows unauthenticated requests." A media report puts the number of phone numbers stolen at 33 million. On a well-known hacking forum, hackers known as ShinyHunters admitted to hacking Twilio and stealing 33 million cellphone numbers.

While the theft of phone numbers shouldn't necessarily scare Authy users, the attackers could use these numbers to call or text the victimized Authy subscribers. The attackers could then pretend to be from Authy, and seek other user information including social security numbers, bank account numbers, and other sensitive personal data. Be careful when receiving a call or text that supposedly comes from Twilio or Authy and do not reveal any personal data no matter how insistent the caller or the text is.

And this hack has nothing to do with whether 2FA works to protect your personal data. If you like 2FA as a deterrent, don't stop using it because Authy has been attacked.

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless