33 million Authy users exposed in authentication app’s own security nightmare

A hacker claimed to have stolen 33 million phone numbers from US messaging giant Twilio. The company confirmed to CyberGuy that threat actors got access to the data associated with its Authy two-factor authentication (2FA) service.

Obtaining a list of phone numbers alone is not the biggest cyberattack, but it could still pose a threat to the owners of those numbers. Hackers may use these numbers to launch phishing attacks, send spam text messages, or attempt SIM swapping. Twilio has since patched its app to avoid future security incidents and has also cautioned users.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

 

What you need to know

On July 3, the hacker group known as ShinyHunters reportedly took to a hacking forum to boast about stealing 33 million cell phone numbers. Twilio said that the incident was “not a hack or breach” but rather the threat actors exploiting an “unauthenticated endpoint.” In simple terms, hackers exploited a specific part of Twilio’s system that didn’t require authentication.

The US messaging giant confirmed that hackers were able to identify data associated with Authy accounts, including phone numbers, but did not specify how many accounts were affected. The company stated that there is no evidence indicating that the hackers gained access to Twilio’s systems or other sensitive data. Twillio provided the following statement to CyberGuy:

Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

 

We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.

 

ANDROID USERS AT RISK AS BANKING TROJAN TARGETS MORE APPS

 

What do affected users need to do?

If you’ve been affected by the Twilio security incident, the first thing you need to do is download the latest version of the Authy app. Twilio has released a new version of the app that includes bug fixes and security updates. Android users can update the app from the Play Store, and iPhone users can head to the App Store.

You also need to be cautious of phishing attacks. While your Authy account itself is safe, hackers might use the phone number linked to your account to try some phishing tricks. This means they could contact you pretending to be from Authy or Twilio to trick you into giving away personal information.

 

ANDROID BANKING TROJAN MASQUERADES AS GOOGLE PLAY TO STEAL YOUR DATA

 

5 steps to take to protect your privacy and personal data

While hackers can misuse your personal information in various ways, there are several steps you can take to prevent harm.

1) Have strong antivirus software: Android has its own built-in malware protection called Play Protect, but it’s not enough to stop all malicious software. Historically, Play Protect hasn’t been 100% foolproof at removing all known malware from Android phones. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams.

My top pick is TotalAV, and you can get a limited-time CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.  

Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.

Best Antivirus Protection 2024

 

2) Use an identity theft protection service: Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

My top recommendation is Identity Guard. One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.

CyberGuy’s Exclusive Offer: Get the Identity Guard Ultra protection to protect your identity and credit through tax season and beyond for as little as $9.99/mo (lowest offered anywhere) for the first year. 

See my tips and best picks on how to protect yourself from identity theft.

Best identity theft protection services 2024

 

3) Invest in personal data removal services: While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.

Special for CyberGuy Readers (60% off):  Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 175+ data brokers.  I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.

Get Incogni here

 

4) Use Multi-Factor Authentication: Enable two-factor authentication on your important accounts to add an extra layer of security beyond a password. This requires a second step, like a code sent to your phone, to log in.

 

5) Use a VPN: Consider using a VPN to protect against being tracked and to identify your potential location on websites that you visit.  Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location.

My top recommendation is ExpressVPN. It has a quick and easy setup, is available in 105 countries, and will not log your IP address, browsing history, traffic destination or metadata, or DNS queries.

Right now, you can get 3 extra months FREE with a 12-month ExpressVPN plan. That’s just $6.67 per month, a savings of 49%! Try it risk-free for 30 days.

For best VPN software, see my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android & iOS devices

Best VPNs for browsing the web privately 2024

 

HOW TO OUTSMART CRIMINAL HACKERS BY LOCKING THEM OUT OF YOUR DIGITAL ACCOUNTS

 

 

Kurt’s key takeaway

Authy is a two-factor authentication (2FA) service that users trust, but a security lapse in its system reminds users that no service is foolproof. The service maker maintains that hackers do not have access to Authy accounts, which is a relief. Companies should invest more in security infrastructure to ensure that their customers’ sensitive data does not get compromised so easily.

How do you think companies should improve their security measures to prevent incidents like the Twilio security incident? Let us know in the comments below.

FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2024 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.

Related posts

Best last minute holiday gifts

Understanding brushing scams and how to protect yourself

From TikTok to trouble: How your online data can be weaponized against you