Messaging big Twilio has confirmed {that a} weak API endpoint allowed “menace actors” to examine the telephone numbers of quite a few Authy multi-factor authentication customers. Final week, a menace actor referred to as ShinyHunters leaked a CSV file containing what they declare are 33 million telephone numbers linked to Authy, as reported by TechCrunch.
“Twilio has detected that menace actors had been capable of determine knowledge related to Authy accounts, together with telephone numbers, resulting from an unauthenticated endpoint,” notified Twilio in a blog post. “We’ve got seen no proof that the menace actors obtained entry to Twilio’s programs or different delicate knowledge. As a precaution, we’re requesting all Authy customers to replace to the newest Android and iOS apps for the newest safety updates and encourage all Authy customers to remain diligent and have heightened consciousness round phishing and smishing assaults.”
Twilio acknowledged that the breach exploited a weak API endpoint prompting them to disable it and improve its safety. It has suggested customers to replace their Authy iOS app from the App Retailer and call Twilio help if unable to entry their accounts. Take notice, Authy’s desktop app isn’t any extra and it’s solely obtainable on iOS and Android.
Extra importantly, it follows a 2022 knowledge breach the place a phishing marketing campaign tricked workers into revealing their login particulars, and attackers breached over 163 Twilio accounts.
It appears knowledge breaches have change into more and more widespread not too long ago. ArsTechnica additionally reported that roughly three million iPhone and Mac apps are currently at risk.