HQ/EMEAFind out how we can help your business
Customer engagement platform Twilio revealed that an insecure API endpoint allowed threat actors to validate the phone numbers of millions of Authy MFA customers. This incident could expose these customers to SMS phishing and SIM-swapping attacks.
Authy is a mobile app that generates multi-factor authentication (MFA) codes codes for websites that use this security feature.
Last month, a malicious entity called ShinyHunters published a CSV text file containing what they claim to be 33 million phone numbers enrolled with the Authy service. Moreover, the purported CSV file has 33,420,546 rows, each with an account ID, phone number, “over_the_top” column, account status, and device count.
Twilio has confirmed that the threat actors compiled the list of phone numbers through an unauthenticated API service. This customer engagement platform discovered that the threat actors could harvest data due to an unauthenticated endpoint.
In addition, the initial investigation into the attack found no evidence that the threat actors gained access to Twilio’s systems or other sensitive data. Still, as a precaution, the company urged all Authy users to update the most recent Android and iOS apps for security updates and remain vigilant and wary of phishing and smishing attempts.
The threat actors acquired initial access to execute their Authy campaign through an extensive list of phone numbers on a vulnerable API endpoint.
According to reports, the malicious campaign gathered the data by entering an extensive list of phone numbers into an insecure API endpoint, which would return information about the registered Authy accounts if the number were legitimate.
Now that the API has been secured, it can no longer be exploited to determine whether a phone number is associated with Authy. The tactic used in this campaign is similar to how threat actors exploited an unsecured Twitter API and Facebook API to create profiles of millions of people, including public and private information.
Furthermore, the researchers noted that even though the Authy scrape only includes phone numbers, it can still be helpful for threat actors wanting to conduct smishing and SIM-swapping attacks to compromise accounts.
Therefore, users should ensure that their mobile accounts are set up to prevent number transfers without a passcode or turning off security features. Finally, these customers should be aware of potential SMS phishing attacks aimed at stealing sensitive information.
