27k unique visitors in the last 3 days

Twilio Breach of 33mn Phone Numbers Is Gift to Social Engineering Fraudsters

The data was compromised via an insecure API for Authy, the two-factor authentication app owned by Twilio.

A hacker claimed last week to have obtained personal data about 33 million users of Authy, a two-factor authentication app belonging to Twilio, the San Francisco-headquartered cloud communications provider. Although the information obtained is not especially sensitive, Authy is a popular method of securing cryptocurrency accounts, making these phone numbers an effective hitlist for fraudsters who use social engineering and bribery of telco insiders to hijack a victim’s phone service so they can then assume control of other online accounts.

Per a security alert published by Twilio on July 1:

Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.

Scammers will know that if they style their communications to look like they come from Authy or Twilio then they have a higher chance of duping recipients. That is why it is so vital that Authy users are informed about the breach and the risks it creates for them.

There is really no excuse for Twilio to allow a leaky API to be abused like this. Some people talk as if APIs are an unparalleled good that unlock tremendous value by simplifying the way organizations cooperate. However, bad actors are drawn to APIs that do not demand authentication whenever there is a request for data. Businesses and governments now routinely warn the public not to share too much personal data in case it is harvested and exploited by criminals. But the risk of criminals gathering useful information from social media posts is trivial compared to the danger created when corporations apply no effective security to APIs that can be used to systematically extract data about millions of customers.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email