Using Authy? Beware of impending phishing attempts

Do you use Authy for your multi-factor authentication needs? If you do, you should keep an eye out for phishing attempts, as well as implement defenses against SIM swapping attacks.

What happened?

On July 1, Twilio – the company that develops the Authy MFA mobile app – shared with the public that attackers have leveraged one of its unauthenticated API endpoints to compile a list of phone numbers and other data belonging to Authy users.

Company systems were not breached, Twilio said, and Authy accounts have not been compromised, but the company warned that “threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks.”

The list, which apparently holds data of 33 million Authy users, has been offered for sale by ShinyHunters, a threat actor that specializes in breaching companies and stealing their customers data, then holding it for ransom and/or selling it to the highest bidder on forums and markets frequented by cybercriminals.

The group suggests cross-referencing the Authy list with customer databases stolen from cryptocurrency exchanges Gemini and Nexo, so that the buyers can engage in extremely targeted phishing or SIM swapping to get their hands on users’ cryptocurrency stash.

Twilio has also asked all Authy users to update to the latest Android (v25.1.0) and iOS (v26.1.0) apps, “as a precaution” and as a way to get the latest security updates, but you should know that this does nothing to protect you against phishing attacks. Increased caution is therefore advised.

Exploitation of API endpoints

Abusing API endpoints for scraping and validating data is done both by legitimate companies (e.g., for marketing purposes) and cybercriminals, as the practice is not technically illegal. The owners of the APIs are the ones who should protect them against misuse.

But time and time again, unsecured, publicly exposed APIs are abused to collect all sorts of user data, including data that can be used to hijack accounts.

In Authy’s case, the unsecured API enpoint helped attackers armed with (likely) a massive list of phone numbers to trim it down and compile one that can be very helpful to other criminals.

Getting around MFA

A few days after the Authy-related warning, Twilio sent out a notice to customers explaining that IdentifyMobile, a downstream carrier (2FA-SMS “deliverer”) of their backup carrier iBasis, had “inadvertently exposed certain SMS-related data publicly on the internet” – specifically, by making an AWS S3 bucket public for five days in May 2024.

The issue was discovered by Chaos Computing Club, a known security research group, who said that 200+ million text messages containing one-time passwords sent by over 200 companies were accessible to anyone who knew where to look.

“The CCC happened to be in the right place at the right time and accessed the data,” the group said.

“It was sufficient to guess the subdomain ‘idmdatastore’. Besides SMS content, recipients’ phone numbers, sender names, and sometimes other account information were visible.”

While Twilio says that only customers in few specific countries may have been affected by this security oversight, they also said that they believe (after performing an investigation) that messages containing their personal data were not exposed.

Messages sent by companies like Amazon, Microsoft, DHL, Google, Airbnb, were also accessible, and could have helped malicious attackers to log in to services and hijack accounts, conduct financial transactions, and so on – provided they had the first authentication factor (a password). But, as the researchers noted, “1-click login” links were also included in the data, allowing potential attackers ignore the password requirement.

“For some large affected companies, only individual services were protected by IdentifyMobile. Nevertheless, IdentifyMobile’s negligence exposed companies and their customers to significant risk. This is evident from the numerous similar inquiries from data protection departments worldwide now reaching us through all channels,” they added.

“We are happy to confirm that we did not keep the data. However, we cannot rule out that others may have accessed it.”