Final week, a hacker claimed to have stolen 33 million telephone numbers from U.S. messaging large Twilio. On Tuesday, Twilio confirmed to information.killnetswitch that “menace actors” have been in a position to establish the telephone quantity of people that use Authy, a well-liked two-factor authentication app owned by Twilio.
In a publish on a well known hacking discussion board, the hacker or hackers referred to as ShinyHunters wrote that they hacked Twilio and obtained the cellular phone numbers of 33 million customers.
Twilio spokesperson Kari Ramirez informed information.killnetswitch that the corporate “has detected that menace actors have been in a position to establish information related to Authy accounts, together with telephone numbers, on account of an unauthenticated endpoint. Now we have taken motion to safe this endpoint and now not enable unauthenticated requests.”
“Now we have seen no proof that the menace actors obtained entry to Twilio’s methods or different delicate information. As a precaution, we’re requesting all Authy customers to replace to the most recent Android and iOS apps for the most recent security updates and encourage all Authy customers to remain diligent and have heightened consciousness round phishing and smishing assaults,” Ramirez wrote in an electronic mail.
Twilio additionally revealed an alert on its official web site on Monday, together with the identical assertion.
Whereas acquiring a listing of telephone numbers — by itself — could not look like probably the most harmful of data breaches, it may nonetheless pose a menace to the house owners of these numbers.
“If attackers are in a position to enumerate a listing of person’s telephone numbers, then these attackers can fake to be Authy/Twilio to these customers, rising the believability in a phishing assault to that telephone quantity,” Rachel Tobac, an skilled in social engineering and CEO of SocialProof Safety, informed information.killnetswitch.
Tobac defined that now hackers can particularly goal individuals who they know are Authy customers, giving the attackers an opportunity to make it seem like their malicious messages actually come from Authy and Twilio.
In 2022, Twilio suffered a bigger data breach, when a bunch of hackers accessed the info of greater than 100 firm prospects. Armed with that info, the hackers then launched a wide-ranging phishing marketing campaign which resulted within the theft of round 10,000 worker credentials from at the least 130 firms. As a part of that breach on the time, Twilio stated hackers efficiently focused 93 particular person Authy customers and have been in a position to register further units on these victims’ Authy accounts, permitting them to successfully steal actual two-factor codes.
