If you use Authy, update your app immediately. Twilio, the messaging company that owns the two-factor authentication service, confirmed to TechCrunch on Wednesday that hackers breached Twilio and acquired mobile phone numbers for 33 million users.
Twilio published a statement on its website also confirming the hack. “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint,” the statement reads. “We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
The company added that there was no evidence that the hackers accessed Twilio’s systems or sensitive data. But updating to the latest version of the iOS and Android apps (on any devices you’re running) is critical as they include new security updates.
Twilio stressed that Authy accounts weren’t compromised. However, the hackers (and anyone they share the data with) could “try to use the phone number associated with Authy accounts for phishing and smishing attacks.”
If you aren’t familiar with the term, smishing is the text-message equivalent of phishing. So, if you have an Authy account, be extra cautious about any unexpected texts that appear to come from trusted sources, especially Authy or Twilio.
Rachel Tobac, a social engineering expert and CEO of SocialProof Security, illustrated to TechCrunch what that may look like. “If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Tobac said.
“We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” Twilio stressed.
