**Hackers Steal 33 Million Phone Numbers from Twilio’s Authy App**
Last week, a hacker claimed to have stolen 33 million phone numbers from Twilio, a major messaging company in the U.S. On Tuesday, Twilio confirmed that “threat actors” were able to identify the phone numbers of Authy users, a popular two-factor authentication app owned by Twilio.
Twilio spokesperson Kari Ramirez explained that the hackers were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. However, Twilio stated that there is no evidence that the hackers accessed its systems or obtained other sensitive data.
In response to the breach, Twilio has taken action to secure the endpoint and no longer allows unauthenticated requests. The company has urged all Authy users to update their apps to the latest versions for enhanced security. Users are also advised to remain vigilant against phishing and smishing attacks.
While the theft of phone numbers may not initially seem like a significant data breach, it can still pose risks to the affected individuals. According to Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, attackers can now specifically target Authy users and send malicious messages that appear to come from Authy and Twilio. This increases the believability of phishing attacks, making it more likely for users to fall victim.
This incident is not the first security breach that Twilio has faced. In 2022, the company experienced a larger data breach where hackers accessed the data of over 100 customers. This breach led to a phishing campaign that resulted in the theft of approximately 10,000 employee credentials from multiple companies. As part of that breach, hackers successfully targeted 93 individual Authy users and registered additional devices on their accounts to steal two-factor codes.
It is important to note that the 2022 Twilio breach is not directly connected to the phishing campaign that followed. However, both attacks were allegedly carried out by the same threat actors.
Overall, this recent breach highlights the importance of robust security measures in protecting user data. Companies like Twilio must continually assess and enhance their security protocols to prevent unauthorized access and mitigate potential risks to their users. Users, on the other hand, should remain vigilant, update their apps regularly, and be cautious of any suspicious messages they receive.
