Twilio says somebody has obtained telephone numbers related to its two-factor authentication service (2FA), Authy, as reported earlier by TechCrunch. In a security alert on Monday, Twilio warns that the “risk actors” might attempt to use the stolen telephone numbers to hold out phishing assaults and different scams.
The incident follows a 2022 information breach that occurred after a phishing marketing campaign tricked staff into disclosing their login credentials. The attackers accessed information from 163 Twilio accounts and managed to entry and register extra units on 93 Authy accounts.
Twilio traced this leak again to “an unauthenticated endpoint” that it has since secured. Final week, the risk actor ShinyHunters published a list of 33 million telephone numbers from Authy accounts on the darkish net. As pointed out by BleepingComputer, the risk actor appears to have obtained the data by inputting an enormous checklist of telephone numbers into Authy’s unsecured API endpoint, which might then confirm whether or not they’re related to the app.
“We encourage all Authy customers to remain diligent and have heightened consciousness across the texts they’re receiving,” Twilio writes. It provides that it “has seen no proof that the risk actors obtained entry to Twilio’s techniques or different delicate information” and that Authy accounts weren’t compromised. Twilio is advising customers to replace their Authy apps on Android and iOS (the Authy desktop app has been discontinued).
