Authy users urged to remain vigilant after hack exposes 33 million phone numbers

Twilio has updated its two-factor authentication (2FA) service Authy after a hacker claimed to have retrieved 33 million phone numbers from the user database.

TechCrunch reported that hackers known as ShinyHunters boasted on a popular hacker forum that they had stolen 33 million cell phone numbers. The theft was achieved by using an “authenticated endpoint,” as Twilio described it.

The US messaging giant confirmed this week that “threat actors” had gained access to its servers and stolen users’ phone numbers, but did not provide details on how many were affected. The company said it had taken steps to secure the exploit and prevent similar unauthenticated requests in the future.

“We have not seen any evidence that the threat actors have gained access to Twilio’s systems or other sensitive data,” the company said in a blog post. “Even if Authy accounts are not compromised, threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks. We encourage all Authy users to remain vigilant and have a heightened awareness of the texts they receive.”

As Twilio notes, receiving a list of phone numbers does not appear to pose a serious security risk in itself. However, attackers could contact users posing as representatives of Authy or Twilio in an attempt to trick them into revealing personal information as part of a phishing campaign.

Users should update to the latest version of the iOS app available on the App Store. Twilio recommends that users who are unable to access their Authy account contact the support team immediately.

Earlier this year, Authy announced it would shut down its Mac and Linux desktop apps in August 2024, but moved the date forward. The apps were subsequently discontinued in March.