A hacker claimed last week to have obtained personal data about 33 million users of Authy, a two-factor authentication app belonging to Twilio, the San Francisco-headquartered cloud communications provider. Although the information obtained is not especially sensitive, Authy is a popular method of securing cryptocurrency accounts, making these phone numbers an effective hitlist for fraudsters who use social engineering and bribery of telco insiders to hijack a victim’s phone service so they can then assume control of other online accounts.
Per a security alert published by Twilio on July 1:
Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.
We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.
Scammers will know that if they style their communications to look like they come from Authy or Twilio then they have a higher chance of duping recipients. That is why it is so vital that Authy users are informed about the breach and the risks it creates for them.
There is really no excuse for Twilio to allow a leaky API to be abused like this. Some people talk as if APIs are an unparalleled good that unlock tremendous value by simplifying the way organizations cooperate. However, bad actors are drawn to APIs that do not demand authentication whenever there is a request for data. Businesses and governments now routinely warn the public not to share too much personal data in case it is harvested and exploited by criminals. But the risk of criminals gathering useful information from social media posts is trivial compared to the danger created when corporations apply no effective security to APIs that can be used to systematically extract data about millions of customers.



