At the end of June, hackers claimed to have stolen 33 million phone numbers from Twilio, a major U.S. messaging company. Last week Twilio confirmed the breach, but more importantly, that threat actors had managed to identify the phone numbers belonging to users of Authy, the popular two-factor authentication app owned by Twilio.

Twilio Authy Data Breach: What Happened?

In a post on a well-known hacking forum, the hackers known as ShinyHunters claimed responsibility for hacking Twilio and obtaining the phone numbers of 33 million users. Attackers then identified Authy customers’ phone numbers and other data through an unauthenticated endpoint, which has since been secured.

According to Twilio spokesperson Kari Ramirez, there is no indication of further breaches of Twilio’s systems or sensitive data. Nonetheless, Authy users are advised to immediately update to the latest versions of the app on Android and iOS to prevent potential risks. In the words of Twilio:

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint […] We know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened.”

The company reiterated that there is no evidence that the hackers accessed Twilio’s systems or sensitive data. However, updating to the latest versions of apps is critical as they contain new security updates. Investigations are ongoing.

Further Info

In 2022, Twilio experienced another data breach when a group of hackers accessed the data of more than 100 commercial customers. The hackers launched a phishing campaign that resulted in the theft of around 10,000 employee credentials from at least 130 companies. During that breach, Twilio reported that hackers targeted 93 individual Authy users and registered additional devices on those users’ Authy accounts, allowing them to steal real two-factor authentication codes. An attack like this illustrates how even 2FA is not completely secure — this is why experts recommend the even more advanced MFA.

ShinyHunters were in the news at the end of May after carrying out the gigantic Ticketmaster data breach that saw a shocking 560 million users have their details compromised. Watch this space for more news on the infamous hacker group as it comes.

Protecting Your Identity and Personal Info

Trend Micro is here to have your back in 2024. We would encourage readers to head over to our new ID Protection portal, which has been designed to meet the security threats that arise with a data breach like the above. With ID Protection, you can:

1. Check to see if your data (email, number, password, credit card) has been exposed in a leak, or is up for grabs on the dark web;
2. Secure your social media accounts with our Social Media Account Monitoring tool, with which you’ll receive a personalized report;
3. Create the strongest tough-to-hack password suggestions from our advanced AI (they’ll be safely stored in your Vault);
4. Enjoy a safer browsing experience, as Trend Micro checks websites and prevents trackers.
5. Receive comprehensive remediation and insurance services, with 24/7 support.

Offering both free and paid services, ID Protection will ensure you have the best safeguards in place, with 24/7 support available to you through one of the world’s leading cybersecurity companies. Why not give it a go today? As always, we hope this article has been an interesting and/or useful read. If so, please do SHARE it with family and friends to help keep the online community secure and informed — and consider leaving a like or comment below. Here’s to a secure 2024!