In July 2024, Twilio, a major communications provider, disclosed a significant breach involving its Authy multi-factor authentication (MFA) service. This incident, attributed to the ShinyHunters hacking group, exploited an unsecured API endpoint to verify the phone numbers of millions of users, putting them at risk of subsequent cyberattacks like SMS phishing and SIM swapping.
What Happened?
Twilio’s Authy service provides a critical MFA layer for millions of users worldwide. However, in this breach, attackers discovered and exploited an unsecured API endpoint that allowed the verification of phone numbers linked to Authy users without proper safeguards. As a result, over 33 million phone numbers were exposed, along with associated user data like account IDs and device counts(
The breach came to light when ShinyHunters leaked a CSV file containing data from the compromised accounts. The exposed information included 33 million phone numbers, increasing the likelihood of SIM swapping attacks—where a malicious actor takes control of a victim’s phone number—and SMS phishing, where fraudulent texts could trick users into revealing sensitive information(
CyberSec UK)(
Potential Impact on Users
This breach presents significant risks for individuals using Authy’s MFA service:
- SIM Swapping: With phone numbers exposed, attackers could impersonate users, tricking telecom providers into transferring the target’s phone number to a new SIM card. This could allow attackers to bypass MFA and access accounts protected by SMS-based authentication.
- Phishing Attacks: The compromised data could be used for targeted SMS phishing (smishing) campaigns, where attackers pose as legitimate services to steal login credentials or personal information.
These attacks could affect a wide range of services, from financial accounts to social media, where Authy MFA is implemented.
ShinyHunters’ Involvement
ShinyHunters, a notorious hacking group known for previous large-scale data breaches, took credit for the Twilio Authy breach. This group has been responsible for other significant data thefts, often leaking stolen data on hacking forums or selling it on the dark web(
In this case, ShinyHunters leaked the Authy data shortly after the breach, significantly increasing the risk to affected users. Given their track record, it’s expected that they may continue exploiting vulnerabilities in high-profile systems to steal and sell sensitive data(
Twilio’s Response
Twilio responded swiftly to the breach by securing the vulnerable API and launching a detailed investigation into how the exploitation occurred. They have also notified affected users and recommended that they change their phone numbers and enable multi-factor authentication methods that do not rely solely on SMS, such as app-based or hardware token authentication(
Twilio’s rapid response highlights the importance of securing APIs, particularly for services that handle sensitive data like MFA. The incident also demonstrates the risks associated with SMS-based authentication, a method widely criticized for its vulnerability to SIM swapping and interception.
Lessons Learned and Mitigation
The Twilio Authy breach underscores several critical lessons for organizations and individuals:
- Secure APIs: Ensure that all public-facing APIs have proper authentication and authorization mechanisms in place.
- Use App-based MFA: Where possible, users should shift away from SMS-based authentication in favour of app-based MFA options like Google Authenticator or hardware tokens such as YubiKey, which offer enhanced security.
- User Vigilance: Users affected by the breach should remain vigilant for any suspicious SMS messages or account activity. They should also consider changing passwords and enabling more secure forms of MFA where possible.
The Twilio Authy breach highlights the ongoing vulnerabilities in services that rely on SMS for authentication. While Twilio acted quickly to close the security gap, the exposed data poses a significant risk to millions of users, potentially leading to a wave of phishing and SIM-swapping attacks. This incident serves as a stark reminder for organizations to prioritize securing their APIs and for users to adopt stronger, more secure authentication methods.
Further Reading
- Twilio’s Official Response to the Authy Breach
- How SIM Swapping Works and How to Protect Yourself
- Understanding the Risks of SMS-based Authentication
- ShinyHunters: Who Are They?