Communications company Twilio has warned users that threat actors have the phone numbers linked to accounts of its popular two-factor authentication app, Authy.
In a security advisory, the company said threat actors were able to identify data associated with Authy accounts, including phone numbers, warning users may be targeted with social engineering attacks using these details moving forward.
The initial breach was made public in late June when the ShinyHunters group posted a CSV file said to contain 33 million phone numbers linked to Authy on BreachForums.
The information is also said to include account IDs , account status, and device count.
Twilio revealed the breach was due to an unauthenticated API endpoint it has now locked down to prevent further unauthenticated requests.
The statement added it had no reason to believe the hackers were able to compromise the firm's other internal systems or data, but asked Authy users to take precautionary measures like updating their mobile software with the latest security patches and to remain vigilant for social engineering attacks.
“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”
Twilio customers need to take extra steps to protect against SIM swap attacks
Commenting on the breach, Jason Kent, hacker in residence at API security specialist, Cequence, explained the breach fits a common pattern and highlights the importance of locking down API endpoints with adequate authentication and authorization layers.
"As the standard script for breaches in the API era, Twilio is next on stage. We have shown over and over that an API Endpoint that accepts data and gives responses on that data, needs to be covered with both authentication and authorization or someone will abuse the endpoint.”
This case was an intriguing one, according to Kent, due to the fact that the attackers seem to be reversing the standard operating procedure.
“This example is an interesting one because it starts where you might not expect. As you attach a device to the Authy service they rely heavily on that device's phone number. Their systems are very interested in this number and obviously there are many endpoints that accept the number, and my guess is, if the number doesn’t exist there is an error. If the number does exist there is either a lack of error or some other way of knowing,” he explained.
“So, if I want to take over someone’s account that is using Authy’s MFA, I need to know what number they used to sign that account up with and perform a SIM swap to get the MFA code sent to the new phone. This is a reverse attack where the MFA service provider was able to validate the numbers first, now the SIM swapping attacks can commence.”
Kent added that it’s still not clear if the records ShinyHunter claims to be selling have been bought, advising affected users should take extra steps to make sure they don’t fall victim to a SIM swap attack.
“Twilio has since put authentication on the endpoint in question, but it is still unknown if anyone has bought the 33 million records lost in the data dump,” Kent noted.
“If you are an Authy user, you are advised to understand that that MFA service, for your account, may be compromised and any service using Authy as its MFA should take additional actions to ensure a SIM swap wasn’t recent on the account and ensure the end user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t."
