Introduction
Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy. Authy is a popular security application to manage authentication codes for apps and online services. These codes enhance the security of sign-ins, as they need to be entered in a second stage of authentication.
The Breach Details
A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers. The list was obtained through an improperly secured API endpoint. The attacker fed the API a large number of phone numbers to identify which ones were known to the Authy system. Twilio, Authy’s parent company, confirmed the authenticity of the data and the hack to Bleeping Computer. They have since secured the endpoint and released updates for Android and iOS as a precaution.
Potential Risks
Authy customers cannot determine if their phone number is included in the leak. While there is no direct threat, attackers may use the phone numbers in SMS phishing or SIM swapping attacks. SMS attacks might trick users into sharing authentication codes or downloading malware. SIM swapping attacks are more complex and require additional personal information, often involving the cellular provider of the victim. Attackers could use online searches or other databases to link phone numbers to their owners. However, the data within Authy remains secure at this point.
Steps for Affected Users
For those considering migrating from Authy to another service, be aware that migration is not straightforward due to the lack of export support. A workaround exists using an older version of the desktop app, but this may soon be obsolete as Authy is discontinuing the desktop program. The only other option is manual migration:
- Sign in to the service that codes are generated for in Authy.
- Turn off 2FA in the preferences.
- Re-enable 2FA using a new authenticator app.
- Repeat for each service and delete them from Authy after migration.
As alternatives, consider open-source authenticators like Aegis or Bitwarden Authenticator.
Closing Words
Should you trust a service that has experienced several breaches, or move to one that has not? LastPass customers have faced similar dilemmas in the past. Whether to migrate is a personal choice, often dictated by convenience and trust levels. If you use authenticator apps, which is your preferred one at the moment?
