A dark web dump of 33 million phone numbers from Authy accounts has been traced back to a leak from an unauthenticated API endpoint. Twilio has confirmed the data breach and that it has updated its Android and iOS apps in response.
Data breach by ShinyHunters Group will likely spark phishing wave
Twilio has disclosed that customer phone numbers associated with Authy, along with “other data,” were exposed by a recent data breach. There is not yet any word that the attackers accessed “sensitive data” or Twilio’s internal systems, however. The company is also reassuring Authy users that their account logins are not compromised, but cautions that phishing attempts should be expected.
The statement also does not directly mention the technical details of the API endpoint issue, but urges all Authy users to update their Android (to v25.1.0) and iOS (to v26.1.0) apps as soon as possible to receive security updates.
The data breach first emerged in late June when the hacking group ShinyHunters posted a dump of 33 million phone numbers to BreachForums that were purportedly from Authy. The incident is a bit more concerning than the usual dump of contact information of this sort as Authy is a very popular two-factor authentication app that provides a login verification code to mobile devices. Authy previously had a desktop app available, but it was discontinued abruptly in March after an initial announcement that it would be supported until August of this year.
The most likely outcome of the data breach will be a wave of phishing attempts on Authy users, with the attackers likely looking to craft authentic-looking messages that appear to come from Authy or Twilio themselves. Users should be especially wary of any text messages that seem authentic but that come out of the blue and ask for a password/code to be entered or that attempt to link to an external site.
Jason Kent, Hacker in Residence at Cequence, expands on the potential danger: “As the standard script for breaches in the API era, Twilio is next on stage. We have shown over and over that an API Endpoint that accepts data and gives responses on that data, needs to be covered with both Authentication and Authorization or someone will abuse the endpoint. This example is an interesting one because its starts where you might not expect. As you attach a device to the Authy service they rely heavily on that devices phone number. Their systems are very interested in this number and obviously there are many endpoints that accept the number, and my guess is, if the number doesn’t exist there is an error. If the number does exist there is either a lack of error or some other way of knowing. So, if I want to take over someone’s account that is using Authy’s MFA, I need to know what number they used to sign that account up with and perform a SIM swap to get the MFA code sent to the new phone. This is a reverse attack where the MFA service provider was able to validate the numbers first, now the SIM swapping attacks can commence.”
“Twilio has since put authentication on the endpoint in question, but it is still unknown if anyone has bought the 33 Million records lost in the data dump. If you are an Authy user, you are advised to understand that that MFA service, for your account, may be compromised and any service using Authy as its MFA should take additional actions to ensure a SIM swap wasn’t recent on the account and ensure the end user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t,” noted Kent.
Attackers appear to have plugged phone numbers into unauthenticated API endpoint
The data breach appears to be about as simple as it gets: it looks as if ShinyHunters just fed a massive “phone book” of numbers into an Authy API endpoint to see which came back as being associated with an account. The list the group used thus likely contained information from prior data breaches, and it is possible these numbers could now be paired with other leaked information. Authy account holders should not only be wary of incoming texts for some time, but also ensure that old accounts with recycled passwords are not hanging about.
Though Twilio mentioned that “other data” might be involved, the ShinyHunters post consisted of a massive CSV file that only appeared to tie phone numbers to account ID numbers and values for account status, device count and whether a device is locked. This appears to be the extent of the information that the vulnerable API endpoint would spit back when presented with a valid phone number associated with an Authy account.
Though the Authy API endpoint issue does not appear to have involved access to internal systems, Twilio very recently disclosed another data breach to its customers that involves a third-party vendor for a backup carrier. The company has sent out emails to some customers indicating that a vendor called IdentifyMobile, which serves as a downstream carrier to its backup carrier iBasis, may have exposed SMS text information to the open internet by improperly configuring an AWS S3 bucket that was left open from the start of 2024 to May 15. However, this data breach appears to be limited to impacting customers in France, Italy, Burkina Faso, Ivory Coast, and Gambia.
Scraping and abusing API endpoints exists in something of a legal grey area in which it is not necessarily strictly illegal and is done by AI and marketing companies among others. The onus of protecting this data falls on the company hosting it, and in most countries they are kept in line in this area by data privacy regulations. At present, US federal law does not adequately address this issue and only a handful of states have developed their own relevant laws. Facebook’s APIs have been hit in this way repeatedly for over a decade, and a late 2022 attack on a Twitter API yielded the private account information of some 5.4 million users, but fines and penalties for these issues generally only happen in the EU.
Twilio experienced two data breaches in 2022, both attributed to the “0ktapus” group, that involved a network break-in via social engineering phone calls to customer support in which the attackers obtained credentials by pretending to be from the IT department. Those attacks involved downstream access to some of Twilio’s customers and subsidiaries, including Authy which saw 93 accounts compromised to the point that attackers could add unauthorized devices to them.