Unidentified threat actors exploited an unauthenticated endpoint in Authy to find information connected to Authy accounts, including user phone numbers, according to cloud communications provider Twilio.
The business claimed to have secured the endpoint so that it could no longer receive requests without authentication.
This happened just a few days after a user going by the handle ShinyHunters posted a database on BreachForums that purportedly had 33 million phone numbers that were taken from Authy accounts.
Twilio has owned Authy since 2015. Authy is a well-known two-factor authentication (2FA) service that strengthens account security.
In a security advisory dated July 1, 2024, the company stated, “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.”
However, it advises users to update their iOS (version 26.1.0 or later) and Android (version 25.1.0 or later) apps to the most recent version out of an abundance of caution.
Additionally, it issued a warning that phishing and smishing attempts might try to leverage the phone number linked to Authy accounts by threat actors.
“We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” it stated.