A security breach in Twilio's Authy app exposed 33 million phone numbers. Learn how users can protect themselves and how Akto can help identify similar vulnerabilities.

What Happened?

On June 27, 2024, the ShinyHunters hacker group announced on BreachForums that they had leaked data affecting 33 million phone numbers. Twilio verified the data breach at the beginning of July and discovered that threat actors had retrieved private data related to Authy users, including phone numbers, due to their failure to authenticate the API endpoint.

What is Authy?

Authy, a mobile application, secures user accounts by providing two-factor authentication (2FA) services. It generates time-based one-time passwords (TOTPs) on your mobile device.

At login, users enhance security by requiring a TOTP in addition to their username and password. This additional step makes it more difficult for unauthorized users to access the account.

Authy generates the TOTP using a shared secret key and the current time to create a unique code that changes every 30 seconds. When you enter this code, the server matches it with the expected value, ensuring that only someone with access to your device can log in.

This extra step ensures that even if someone gets your password, they can't access your account without the TOTP. Authy also securely stores your 2FA tokens and makes it easy to recover them if you change or lose your device.

Vulnerability: Unauthenticated API Endpoint

An unauthenticated API endpoint allows anyone to access a part of an API without needing a password or permission.

Attackers exploited an unauthenticated API endpoint in Twilio by feeding it a large list of phone numbers to identify which numbers were associated with accounts. They queried the endpoint without needing authentication and received responses showing account ID numbers, account status, device counts, and device lock status.

ShinyHunters likely used this list from a previous data breach to exploit the unauthenticated API endpoint. They have also indicated that other hackers could use the stolen data and other information to carry out more attacks, including targeting cryptocurrency.

How Did Twilio Respond to the Breach?

Twilio has released a new security update and recommends that users upgrade to Authy Android (v25.1.0) and iOS (v26.1.0) apps. These updates include necessary security improvements. However, the updates do not clearly explain how they protect users from attackers using the leaked data.

Steps Users Should Take to Protect Themselves

Authy users should take these steps to protect themselves:

1. Block Number Transfers: Contact your mobile service provider and set up your account to require a passcode for number transfers.

2. Stay Alert for Phishing: Be cautious of suspicious text messages (SMS) asking for personal information or directing you to a website. These could be phishing attempts to steal sensitive data, such as passwords. Always verify the sender's identity, and avoid clicking on links or providing personal information in response to unsolicited messages.

How can Akto help?

Akto helps you identify unauthenticated API endpoint vulnerabilities with one click. You can import your API collection and run multiple tests to uncover potential weaknesses. You can also create your custom templates by trying the Akto test library.

Final Thoughts

The Twilio data breach highlights the critical need to secure API endpoints to prevent unauthorized access. An unauthenticated API endpoint caused the breach, which Twilio has since secured and updated. Blocking number transfers and being cautious with unexpected messages can help protect against future threats. Organizations must continuously enhance their security practices to protect user data.