Malicious actors have managed to steal more than 33 million phone numbers used by users of two-factor authentication service Authy.

Authy is a popular security application for managing authentication codes for apps and online services. These increase the security of sign-ins, as codes need to be entered in a second step of authentication.

Here are the key points:

  • A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers.
  • The list was retrieved via an improperly secured API endpoint.
  • The attacker fed the API a large number of phone numbers that were known to the Authy system.
  • Attackers can use phone numbers in SMS phishing or SIM swapping attacks.

Othi’s parent company Twilio confirmed the authenticity of the data and the hack Bleeping computer.

The company revealed that it has secured the endpoint used in the attack. It also released an update for Android and iOS as a precaution.

What Affected Users Can Do

Authenticated users can’t see if their phone number is included in the leak. There is no direct threat, because the threat actor cannot do anything with the phone number alone.

However, attacks are possible:

  • SMS attacks To allow users to share authentication codes or download malware onto their devices.
  • SIM Swap Attackswhich requires additional personal information. These include the victim’s cellular provider.

Attackers could use online searches or other databases to link phone numbers to their owners.

Data in Authy is currently protected. However, this is not the first incident. Back in 2022, Twilio confirmed it suffered a data breach.

If this reminds you. Last passFor a password management service that has suffered a series of hacks and problems over the past couple of years, you’re not exactly wrong.

Transferring from Authy to another service

Migration is not straightforward, as Authy does not support exporting. Oh Solution There is one that uses an older version of the desktop app, but it may not work soon. Authy is closing the desktop program..

The only other option is to transfer the data manually. It includes the following steps:

  • Sign in to the service for which the codes have been created in Authy.
  • Turn off 2FA in Preferences.
  • Enable 2FA again, this time using the new authenticator app.

Repeat the steps for any service and delete each one after the transfer is complete. This is done by long tapping on the item in Authy and selecting the remove option.

As for alternatives, see my reviews Open Source Authenticated Aegis or Bitwarden Authenticator.

Concluding words

Should you trust a service that has had multiple breaches in the past, or should you move to one that hasn’t? LastPass users have faced this question many times in the past, and it’s the same question Authy users should be asking themselves.

Whether you are migrating or not is up to you. This is painful due to lack of proper export options.

Do you use authentic apps? If so, which one is your favorite at the moment?


Hackers stole millions of Authy 2FA phone numbers

Subject Name

Hackers stole millions of Authy 2FA phone numbers


Malicious actors have managed to steal more than 33 million phone numbers used by users of two-factor authentication service Authy.

the author

Martin Brinkman


Ghacks Technology News



Source link