Breach Exposes Millions Of Mobile Numbers To Phishing Attacks

Cloud communications provider Twilio has published a statement that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' mobile phone numbers.

Authy is a mobile app that generates multi-factor authentication codes at websites where you have MFA enabled.

While the accounts themselves were not compromised, the exposure of phone numbers poses a significant risk of phishing and smishing attacks. And now the company has said that it has taken steps to secure the endpoint and so will no longer accept unauthenticated requests.

The development comes days after an infamous threat actor known as ShinyHunters published a database comprising 33 million phone numbers allegedly pulled from Authy accounts on the Dark Web.

Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert. But out of an abundance of caution, it's recommending that users upgrade their Android, version 25.1.0 or later, and iOS, version 26.1.0 or later, apps to the latest version. It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks. "We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.

Limiting the damage caused by a data breach or leak is your first line of defence against scammers and fraudulent activity on your accounts. Here’s what you need to do:

  • Contact your mobile service provider to let them know your number has been compromised and that someone has been illegally accessing your accounts.
  • Switch the two-factor authentication on accounts using the compromised phone number. You can use either a safe phone number or an authenticator app.
  • When you make these adjustments, change your security questions as well.
  • Notify your friends, family and co-workers of any compromise so they don’t fall for any scams perpetrated in your name. 
  • Check your accounts for suspicious activity and watch out for social engineering attacks such as phishing via text messages or unsolicited phone calls.

Always report an  incident to your local police if you have fallen victim to fraud or identity theft.

Twilio     |    Coin Journal     |   Bleeping Computer   |   Hacker News     |     Bit Defender  |   The Hacker News       

Image: Unsplash

You Might Also Read:

Deepfakes Deployed In Mobile Banking Malware Attacks:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Half Of Employees Don’t Report Security Mistakes
Navigating The Complexities Of Data Backups In A Hybrid World »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

mile2

mile2

Mile2 develop and deliver proprietary vendor neutral professional certifications for the cyber security industry.

PROMIA

PROMIA

PROMIA is in the business of providing solutions that are designed to support highly secure, reliable, scalable and interoperable business applications.

ThreatQuotient

ThreatQuotient

ThreatQuotient delivers an open and extensible threat intelligence platform to provide defenders the context, customization and collaboration needed for increased security effectiveness.

Temasoft

Temasoft

TEMASOFT is a software company focused on developing security and infrastructure products.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Fraugster

Fraugster

Fraugster provides the most precise anti-fraud solution for e-commerce businesses.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

SEEK

SEEK

SEEK create world-class technology solutions to address the needs of job seekers and hirers across multiple sectors including cybersecurity.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

Prompt

Prompt

Prompt supports the creation of partnerships and the setting up of industrial-institutional applied R&D projects for all ICT sectors.

Nu Quantum

Nu Quantum

Nu Quantum is developing quantum photonics hardware to power the quantum revolution in communications, sensing and computing.

CyberFOX

CyberFOX

CyberFOX is a global cybersecurity solutions provider focused on identity access management (IAM) for managed service providers (MSPs) and IT professionals.

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center is a state-of-the-art facility to deliver advanced cyber training programs and build the next generation of Azerbaijan’s cybersecurity professionals.

Simbian

Simbian

Simbian, with its hardened TrustedLLM system, is the first to accelerate security by empowering every member of a security team from the C-Suite to frontline practitioners.

Neeve

Neeve

Neeve is an edge cloud platform transforming smart buildings and spaces, making them more secure, smarter, and more sustainable.

Reasonable Risk

Reasonable Risk

Reasonable Risk is the only SaaS GRC platform with Duty of Care Risk Analysis (DoCRA) built in, providing a sensible and defensible cybersecurity position for an organization.