Twilio says somebody has obtained cellphone numbers related to its two-factor authentication service (2FA), Authy, as reported earlier by TechCrunch. In a security alert on Monday, Twilio warns that the “menace actors” might attempt to use the stolen cellphone numbers to hold out phishing assaults and different scams.
The incident follows a 2022 data breach that occurred after a phishing marketing campaign tricked staff into disclosing their login credentials. The attackers accessed data from 163 Twilio accounts and managed to entry and register extra gadgets on 93 Authy accounts.
Twilio traced this leak again to “an unauthenticated endpoint” that it has since secured. Final week, the menace actor ShinyHunters published a list of 33 million cellphone numbers from Authy accounts on the darkish net. As pointed out by BleepingComputer, the menace actor appears to have obtained the knowledge by inputting a large record of cellphone numbers into Authy’s unsecured API endpoint, which might then confirm whether or not they’re related to the app.
“We encourage all Authy customers to remain diligent and have heightened consciousness across the texts they’re receiving,” Twilio writes. It provides that it “has seen no proof that the menace actors obtained entry to Twilio’s techniques or different delicate knowledge” and that Authy accounts weren’t compromised. Twilio is advising customers to replace their Authy apps on Android and iOS (the Authy desktop app has been discontinued).