Breach Exposes Millions Of Mobile Numbers To Phishing Attacks

Uploaded on 2024-07-09 in FREE TO VIEW

Cloud communications provider Twilio has published a statement that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' mobile phone numbers.

Authy is a mobile app that generates multi-factor authentication codes at websites where you have MFA enabled.

While the accounts themselves were not compromised, the exposure of phone numbers poses a significant risk of phishing and smishing attacks. And now the company has said that it has taken steps to secure the endpoint and so will no longer accept unauthenticated requests.

The development comes days after an infamous threat actor known as ShinyHunters published a database comprising 33 million phone numbers allegedly pulled from Authy accounts on the Dark Web.

Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert. But out of an abundance of caution, it's recommending that users upgrade their Android, version 25.1.0 or later, and iOS, version 26.1.0 or later, apps to the latest version. It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks. "We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.

Limiting the damage caused by a data breach or leak is your first line of defence against scammers and fraudulent activity on your accounts. Here’s what you need to do:

  • Contact your mobile service provider to let them know your number has been compromised and that someone has been illegally accessing your accounts.
  • Switch the two-factor authentication on accounts using the compromised phone number. You can use either a safe phone number or an authenticator app.
  • When you make these adjustments, change your security questions as well.
  • Notify your friends, family and co-workers of any compromise so they don’t fall for any scams perpetrated in your name. 
  • Check your accounts for suspicious activity and watch out for social engineering attacks such as phishing via text messages or unsolicited phone calls.

Always report an  incident to your local police if you have fallen victim to fraud or identity theft.

Twilio     |    Coin Journal     |   Bleeping Computer   |   Hacker News     |     Bit Defender  |   The Hacker News       

Image: Unsplash

You Might Also Read:

Deepfakes Deployed In Mobile Banking Malware Attacks:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Half Of Employees Don’t Report Security Mistakes
Navigating The Complexities Of Data Backups In A Hybrid World »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Varonis

Varonis

Varonis provide a security software platform to let organizations track, visualize, analyze and protect their unstructured data.

Canadian Centre for Cyber Security (CCCS)

Canadian Centre for Cyber Security (CCCS)

The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure, the private sector and the public.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Advanced Software Products Group (ASPG)

Advanced Software Products Group (ASPG)

ASPG offers a wide range of innovative mainframe software solutions for Data Security, Access Management, System Management and CICS productivity.

NT Cyfence

NT Cyfence

CAT Cyfence is the IT Security services business unit of CAT Telecoms.

Hexnode MDM

Hexnode MDM

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

HiddenLayer

HiddenLayer

HiddenLayer is a provider of security solutions for machine learning algorithms, models and the data that power them.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

PagerDuty

PagerDuty

PagerDuty is the central nervous system for a company’s digital operations. We identify issues in real-time and bring together the right people to respond to problems faster.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.

MIS Solutions

MIS Solutions

MIS Solutions is a managed cloud and IT security partner making technology work for you.

Irys Technologies

Irys Technologies

Irys Technologies specialize in pioneering digital transformation solutions designed to streamline communications and enhance maintenance and operational efficiency for a variety of sectors.

Maverits

Maverits

At Maverits, we are on a mission to reshape the cybersecurity landscape. We offer a wide range of services, including Threat Intelligence, Incident Response, Consulting & Training.

Unosecur

Unosecur

Unosecur is a comprehensive identity security platform that addresses identity-related threats in multi-cloud and on-premise environments.