Twilio says somebody has obtained telephone numbers related to its two-factor authentication service (2FA), Authy, as reported earlier by TechCrunch. In a safety alert on Monday, Twilio warns that the “menace actors” could attempt to use the stolen telephone numbers to hold out phishing assaults and different scams.
The incident follows a 2022 knowledge breach that occurred after a phishing marketing campaign tricked workers into disclosing their login credentials. The attackers accessed knowledge from 163 Twilio accounts and managed to entry and register further units on 93 Authy accounts.
Twilio traced this leak again to “an unauthenticated endpoint” that it has since secured. Final week, the menace actor ShinyHunters revealed a listing of 33 million telephone numbers from Authy accounts on the darkish net. As identified by BleepingComputer, the menace actor appears to have obtained the data by inputting a large record of telephone numbers into Authy’s unsecured API endpoint, which might then confirm whether or not they’re related to the app.
“We encourage all Authy customers to remain diligent and have heightened consciousness across the texts they’re receiving,” Twilio writes. It provides that it “has seen no proof that the menace actors obtained entry to Twilio’s methods or different delicate knowledge” and that Authy accounts weren’t compromised. Twilio is advising customers to replace their Authy apps on Android and iOS (the Authy desktop app has been discontinued).
