Twilio says hackers identified cell phone numbers of two-factor app Authy users


Last week, a hacker claimed to have stolen 33 million phone numbers from US messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone numbers of people who use Authy, a popular two-factor authentication app owned by Twilio.

In a post on a popular hacking forum, a hacker named ShinyHunters wrote that he hacked Twilio and obtained the cell phone numbers of 33 million users.

Twilio spokesperson Kari Ramirez told TechCrunch that the company “discovered that threat actors were able to access identifying data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We’ve taken action to secure this endpoint and will no longer allow unauthenticated requests.”

“We have found no evidence that threat actors have gained access to Twilio’s systems or other sensitive data. As a precaution, we are urging all Authy users to update the latest Android and iOS apps to the latest security updates and encouraging all Authy users to remain vigilant and increase their awareness of phishing and smishing attacks,” Ramirez wrote in an email.

Twilio also published an alert on its official website on Monday that included the same statement.


Do you have more information on this Twilio/Authy incident? From a non-work device, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.

Although obtaining a list of phone numbers – in itself – might not seem like the most dangerous of data breaches, it can still pose a threat to the owners of those numbers.

“If attackers are able to generate a list of user phone numbers, those attackers can then pretend to be Authy/Twilio for those users, increasing the credibility of a phishing attack on that phone number,” Rachel Tobak, a social engineering expert and CEO of SocialProof Security, told TechCrunch.

Tobak explained that hackers can now specifically target people they know are Authy users, giving attackers a chance to make it look like their malicious messages actually came from Authy and Twilio.

In 2022, Twilio suffered a major data breach when a group of hackers gained access to the data of more than 100 company customers. The hackers then launched a widespread phishing campaign that resulted in the theft of nearly 10,000 employee credentials from at least 130 companies. As part of that breach, Twilio said at the time that the hackers successfully targeted 93 individual Authy users and were able to register additional devices on those victims’ Authy accounts, allowing them to effectively steal the actual two-factor codes.

Update, 12:52 PM ET: This story has been corrected to clarify that the 2022 Twilio breach is not directly connected to the phishing campaign that resulted in the theft of nearly 10,000 employee credentials from multiple companies. Both attacks were reportedly carried out by the same threat actors.


Please enter your comment!
Please enter your name here

Share post:




More like this

Lecera, which protects enterprises from LLM vulnerabilities, raises $20 million

Swiss startup Lecrae, which is building technology to protect...

Meta Quest 3 will soon get Meta AI vision and chatbot capabilities

The Meta Quest 3 will soon be integrated with...

How IT departments coped with the CrowdStrike chaos

Just before 1:00 a.m. local time on Friday, a...