Not sure how it affects two factor authorization here.
techcrunch.com
Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website on Monday, including the same statement.
While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.
Twilio says hackers identified cell phone numbers of two-factor app Authy users | TechCrunch
Twilio says "threat actors were able to identify" phone numbers of people who use the two-factor app Authy.
techcrunch.com
Twilio says hackers identified cell phone numbers of two-factor app Authy users
Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website on Monday, including the same statement.
CONTACT US
Do you have more information about this Twilio/Authy incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.
