Twilio says idiosyncratic has obtained telephone numbers associated with its two-factor authentication work (2FA), Authy, arsenic reported earlier by TechCrunch. In a security alert connected Monday, Twilio warns that the “threat actors” whitethorn effort to usage the stolen telephone numbers to transportation retired phishing attacks and different scams.
The incidental follows a 2022 data breach that occurred aft a phishing run tricked employees into disclosing their login credentials. The attackers accessed data from 163 Twilio accounts and managed to entree and registry further devices connected 93 Authy accounts.
Twilio traced this leak backmost to “an unauthenticated endpoint” that it has since secured. Last week, the menace histrion ShinyHunters published a list of 33 cardinal telephone numbers from Authy accounts connected the acheronian web. As pointed retired by BleepingComputer, the menace histrion seems to person obtained the accusation by inputting a monolithic database of telephone numbers into Authy’s unsecured API endpoint, which would past verify whether they’re associated with the app.
“We promote each Authy users to enactment diligent and person heightened consciousness astir the texts they are receiving,” Twilio writes. It adds that it “has seen nary grounds that the menace actors obtained entree to Twilio’s systems oregon different delicate data” and that Authy accounts weren’t compromised. Twilio is advising users to update their Authy apps connected Android and iOS (the Authy desktop app has been discontinued).