Authy Security Breach: What You Need to Know

- Advertisement -

Introduction

Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy. Authy is a popular security application to manage authentication codes for apps and online services. These codes enhance the security of sign-ins, as they need to be entered in a second stage of authentication.

The Breach Details

A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers. The list was obtained through an improperly secured API endpoint. The attacker fed the API a large number of phone numbers to identify which ones were known to the Authy system. Twilio, Authy’s parent company, confirmed the authenticity of the data and the hack to Bleeping Computer. They have since secured the endpoint and released updates for Android and iOS as a precaution.

Potential Risks

Authy customers cannot determine if their phone number is included in the leak. While there is no direct threat, attackers may use the phone numbers in SMS phishing or SIM swapping attacks. SMS attacks might trick users into sharing authentication codes or downloading malware. SIM swapping attacks are more complex and require additional personal information, often involving the cellular provider of the victim. Attackers could use online searches or other databases to link phone numbers to their owners. However, the data within Authy remains secure at this point.

Steps for Affected Users

For those considering migrating from Authy to another service, be aware that migration is not straightforward due to the lack of export support. A workaround exists using an older version of the desktop app, but this may soon be obsolete as Authy is discontinuing the desktop program. The only other option is manual migration:

  • Sign in to the service that codes are generated for in Authy.
  • Turn off 2FA in the preferences.
  • Re-enable 2FA using a new authenticator app.
  • Repeat for each service and delete them from Authy after migration.

As alternatives, consider open-source authenticators like Aegis or Bitwarden Authenticator.

Closing Words

Should you trust a service that has experienced several breaches, or move to one that has not? LastPass customers have faced similar dilemmas in the past. Whether to migrate is a personal choice, often dictated by convenience and trust levels. If you use authenticator apps, which is your preferred one at the moment?

- Advertisement -

Related articles

My Arch-nemesis: The Bouncing Battle of Odin’s Archive

The Rise of Odin's Archive Ah, the joys of modern...

What If TikTok Disappears? The $11 Billion Advertising Conundrum

The $11 Billion Question What happens to the staggering $11...

The Return of Grand Cathay and Kislev: What You Need to Know

The Quirky Evolution of Warhammer Fantasy In the realm of...

Will the Remastered Tomb Raider 4-6 Save Kurtis Trent from the Shadows?

Introduction to the Remaster Last year, when Aspyr gifted us...
Carl S. Seibel
Carl S. Seibel
1263 Twin House Lane Springfield, MO 65806