Shinyhunters popped up on BreachForums once again in late June to offer 33 million stolen phone numbers that they claimed were from Authy. Parent company Twilio has since confirmed the data breach and that the leak occurred due to an improperly secured API endpoint.
Twilio is advising users to update their mobile apps to the latest version for security patching, though it is not clear how that addresses the stolen data. At some point Authy users will likely experience a wave of phishing as attackers try out the stolen numbers.
API endpoint abused to confirm phone number-account pairings
This isn’t so much a case of contact information being stolen from Authy accounts, as ShinyHunters already possessed a massive list of phone numbers (likely fed by prior data breaches) and abused the API endpoint by simply plugging them all in. Authy would reply to numbers associated with the account by giving back the account ID and some basic values such as its status and number of devices covered by it.
This is just the latest in a saga of “scraping” of API endpoints in similar ways, which dates all the way back to Facebook essentially opening the doors to its stored vault of personal information with the rollout of its first APIs nearly two decades ago. The act itself is not even technically illegal. Authy and Twilio are unlikely to even see regulatory or legal trouble of any sort in the US, though the inclusion of EU customers in the mix could eventually lead to investigations.
While a data breach that “only” involves phone and account numbers would usually not be much to worry about, it is more concerning when those numbers are part of one of the most popular app-based 2FA services in use. The leaky API endpoint has essentially led attackers right to the devices that users use to authenticate their logins, something that could become even more dangerous if other dark web information from prior data breaches is tied to these phone numbers.
Data breach could expose Authy customers to SIM swap attempts
Twilio says that the data breach went no further than the API endpoint and that internal systems and accounts remain otherwise secure, but even this fairly limited amount of data does mean that SIM swap attacks could be on the horizon in addition to an almost certain wave of phishing. Potentially impacted Authy customers may want to look into options that their phone carriers offer for additional protection against SIM swaps, such as a passcode that must be verified over the phone, if they think they could be targeted for things like crypto holdings or access to their employer’s network.
Twilio also appears to be simultaneously dealing with another data breach, this one involving a vendor to one of its backup carriers leaving an Amazon S3 bucket open to the public internet. This breach involves exposure of SMS messages, but appears to be limited to customers in particular countries (France, Italy, Burkina Faso, Ivory Coast, and Gambia).