Twilio has confirmed that a vulnerability in an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication (MFA) users. This exposure potentially leaves users vulnerable to SMS phishing and SIM swapping attacks.
Authy, a mobile application that generates MFA codes for websites where users have enabled this security feature, was targeted by the threat actor group known as ShinyHunters. In late June, ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service. This CSV file includes 33,420,546 rows with details such as account ID, phone number, an "over_the_top" column, account status, and device count.
Twilio has now confirmed that these phone numbers were compiled through an unauthenticated API endpoint. The company stated, "Threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have secured this endpoint and no longer allow unauthenticated requests."
Despite this breach, Twilio assures that there is no evidence of threat actors accessing Twilio's systems or other sensitive data. As a precaution, Twilio urges all Authy users to update to the latest versions of the Android and iOS apps, and to maintain heightened awareness of potential phishing and smishing attacks.
Previously, Twilio experienced security breaches in June and August of 2022, which allowed threat actors to access Authy customer information. The recent incident highlights the ongoing risk posed by unsecured APIs.
Details of the Attack
The threat actors compiled the phone numbers by feeding a large list of numbers into the unsecured API endpoint. If a number was valid, the endpoint returned information about the associated Authy account. This method is similar to previous exploits of unsecured Twitter and Facebook APIs to compile profiles with both public and non-public information.
While the leaked Authy data primarily contains phone numbers, this information can still facilitate smishing and SIM swapping attacks. ShinyHunters hinted at using the phone numbers to compare with data from other breaches, such as those involving Gemini and Nexo, potentially leading to targeted attacks on cryptocurrency exchange accounts.
Preventive Measures and Recommendations
Twilio has released a security update for Authy, recommending users upgrade to the latest versions of the Android (v25.1.0) and iOS (v26.1.0) apps, which include enhanced security features. Although it is unclear how these updates protect against the misuse of the scraped data, users are advised to take additional precautions:
• Configure mobile accounts to block number transfers without a passcode or additional security measures.
• Remain vigilant for SMS phishing attempts aimed at stealing sensitive information, such as passwords.
In an unrelated incident, Twilio has also notified users of a data breach involving a third-party vendor's unsecured AWS S3 bucket, which exposed SMS-related data sent through Twilio.
This incident underscores the importance of securing APIs and implementing robust security practices to protect user data from malicious actors. Cyber security professionals should stay informed about the latest threats and ensure that their systems are resilient against similar attacks.
