Breach Exposes Millions Of Mobile Numbers To Phishing Attacks

Cloud communications provider Twilio has published a statement that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' mobile phone numbers.

Authy is a mobile app that generates multi-factor authentication codes at websites where you have MFA enabled.

While the accounts themselves were not compromised, the exposure of phone numbers poses a significant risk of phishing and smishing attacks. And now the company has said that it has taken steps to secure the endpoint and so will no longer accept unauthenticated requests.

The development comes days after an infamous threat actor known as ShinyHunters published a database comprising 33 million phone numbers allegedly pulled from Authy accounts on the Dark Web.

Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert. But out of an abundance of caution, it's recommending that users upgrade their Android, version 25.1.0 or later, and iOS, version 26.1.0 or later, apps to the latest version. It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks. "We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.

Limiting the damage caused by a data breach or leak is your first line of defence against scammers and fraudulent activity on your accounts. Here’s what you need to do:

  • Contact your mobile service provider to let them know your number has been compromised and that someone has been illegally accessing your accounts.
  • Switch the two-factor authentication on accounts using the compromised phone number. You can use either a safe phone number or an authenticator app.
  • When you make these adjustments, change your security questions as well.
  • Notify your friends, family and co-workers of any compromise so they don’t fall for any scams perpetrated in your name. 
  • Check your accounts for suspicious activity and watch out for social engineering attacks such as phishing via text messages or unsolicited phone calls.

Always report an  incident to your local police if you have fallen victim to fraud or identity theft.

Twilio     |    Coin Journal     |   Bleeping Computer   |   Hacker News     |     Bit Defender  |   The Hacker News       

Image: Unsplash

You Might Also Read:

Deepfakes Deployed In Mobile Banking Malware Attacks:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Half Of Employees Don’t Report Security Mistakes
Navigating The Complexities Of Data Backups In A Hybrid World »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

HDI

HDI

HDI is the worldwide professional association and certification body for the technical service and support industry.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

SecuLution

SecuLution

SecuLution is an Antivirus product using Application Whitelisting which offers much more protection than Virus Scanners ever can.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Redstor

Redstor

Redstor's complete data management helps you discover, manage and control your data from a single control centre, unifying backup and recovery, disaster recovery, archiving and search and insight.

Zymbit

Zymbit

Zymbit provides hardware security modules (HSM) for IoT devices, including Raspberry Pi and other single board computers.

Innovent Recycling

Innovent Recycling

Innovent Recycling provides a secure IT recycling & data destruction service to all types of organizations across the UK.

A3Sec

A3Sec

A3Sec provides professional solutions in the areas of Cybersecurity, Device Monitoring, Business Intelligence and Big Data.

ZecOps

ZecOps

ZecOps is a cybersecurity automation company offering solutions for servers, endpoints, mobile devices, and custom devices.

Finosec

Finosec

Finosec's mission is to change the way information security and cybersecurity are managed in banking.

Exterro

Exterro

Exterro is a leading provider of e-discovery and information governance software specifically designed for in-house legal, privacy and IT teams at Global 2000 and Am Law 200 organizations.

Catalyst Campus For Technology & Innovation

Catalyst Campus For Technology & Innovation

Catalyst Campus is a collaborative ecosystem to create community, spark innovation and stimulate business growth.

Hughes Network Systems

Hughes Network Systems

Hughes are industry leaders in networking technologies and services, innovating constantly to deliver the global solutions that power a connected future for people, enterprises and things everywhere.

International Maritime Cyber Security Organisation (IMCSO)

International Maritime Cyber Security Organisation (IMCSO)

The IMCSO mission is to be the standard in the maritime cyber security industry, a collective voice, working towards alignment and standardisation.

Reclaim Security

Reclaim Security

Reclaim Security is your always-on force multiplier, empowering security teams to eliminate threat exposure using your existing security stack.