Recently, a hacker claimed to have stolen 33 million phone numbers from Twilio, a prominent U.S. messaging company. Twilio has confirmed that the phone numbers of users of Authy, a widely used two-factor authentication app owned by Twilio, were compromised by “threat actors.”
The hacker, known as ShinyHunters, posted on a well-known hacking forum claiming to have hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez informed TechCrunch that the company detected unauthorized access to data related to Authy accounts, such as phone numbers, through an unauthenticated endpoint. Measures have been taken to secure the endpoint and prevent unauthorized requests.
Although there is no evidence of the threat actors accessing Twilio’s systems or sensitive data, Twilio advises all Authy users to update their Android and iOS apps for enhanced security and to be cautious of phishing and smishing attacks.
Twilio also issued a security alert on its official website urging users to stay informed.
While obtaining a list of phone numbers may not seem severe on its own, it can pose a threat if used in phishing attacks. Attackers could impersonate Authy/Twilio to users with known phone numbers, making the phishing attempts more convincing.
In 2022, Twilio experienced a major data breach where hackers targeted over 100 company customers and launched a phishing campaign resulting in stolen employee credentials from numerous companies. The breach also affected Authy users, with hackers registering additional devices on victims’ accounts to steal two-factor codes.
