Cloud communications provider Twilio has revealed that unidentified threat actors exploited an unauthenticated endpoint within Authy to identify data associated with Authy accounts, including users’ mobile phone numbers.
The company said it has taken steps to ensure that the endpoint no longer accepts unauthenticated requests.
The development comes days after ShinyHunters online persona was published BreachForums database containing 33 million phone numbers purportedly pulled from Authy accounts.
Owned by Twilio since 2015, Authy is a popular two-factor authentication (2FA) app that adds an extra layer of account security.
“We have seen no evidence that threat actors gained access to Twilio systems or other sensitive data,” the security alert, dated July 1, 2024, said.
But out of caution, users are advised to update them Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) to the latest version.
It also warns that threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks.
“We encourage all Authy users to remain vigilant and be aware of the texts they receive,” the post said.
