Cloud communications provider Twilio has revealed that an unknown threat actor has leveraged an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users’ mobile phone numbers.
The company said it has taken steps to secure its endpoints so they do not accept unauthenticated requests.
The development comes days after an online figure going by the name of ShinyHunters published a database on BreachForums containing 33 million phone numbers that were allegedly extracted from Authy accounts.
Owned by Twilio since 2015, Authy is a popular two-factor authentication (2FA) app that adds an extra layer of security to your account.
“We have not observed any evidence that the threat actors accessed Twilio systems or other sensitive data,” the company said in a July 1, 2024 security alert.
However, as a precaution, we encourage users to upgrade to the latest versions of our Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps.
It also warned that threat actors may attempt to use phone numbers associated with Authy accounts in phishing and smishing attacks.
“We encourage all Authy users to be extremely careful and mindful of the text messages they receive,” the company noted.
