At the beginning of August, the company Twilio, which specializes in communication services, suffered a data leak due to a phishing attack based on sending an SMS. Today, we learn that some Authy accounts have also been compromised.
Twilio has just revealed that the cybercriminals behind the attack managed to compromise the accounts of some Authy usershis two-factor authentication app. For those who do not know this application, it is similar to Google Authenticator, FreeOTP or Microsoft Authenticator. This announcement follows the computer attack suffered on August 4, 2022.
Compared to the total number of Authy customers, the number affected by this compromise is quite small, but it is not negligible: 163 customers out of a base of more than 270,000 customers. By accessing the authentication data of certain Authy customers, hackers were able to register additional devices in order to gain access through their own machines. Now, Twilio has cleaned up, and the company says it’s taken down hacker-controlled devices.
In a security bulletin posted on the Twilio site in which the company shares the latest progress in the investigation, it is specified: “After implementing a number of internal security enhancements, we have not observed any further instances of unauthorized account access since our last update.
Nowadays, our survey identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data has been accessed without authorization for a limited period, and we have informed them all.
In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices on their accounts. We have since identified and removed unauthorized devices from these Authy accounts.“
To prevent a third-party device from being added to an account, as was the case here, Twilio recommends its users to add a spare device and then disable the “Allow Multi-Device” option. to prevent additional devices from being added (see this doc).
Twilio tries to reassure its customers, particularly on the aspect of security: “Trust is paramount at Twilio, and we recognize that the security of our systems and our network is an important part of earning and maintaining the trust of our customers. […] We will update this blog with more information as it becomes available.“.