Hackers Exploit Unsecured API to Verify Authy MFA Phone Numbers, here is what to know


Hackers Exploit Unsecured API to Verify Authy MFA Phone Numbers, here is what to know

In a recent cybersecurity incident, threat actors targeted Twilio’s two-factor authentication service, Authy, by exploiting an unsecured API endpoint. The breach exposed the phone numbers of millions of Authy users, potentially making them vulnerable to SMS phishing and SIM swapping attacks.


The Authy Breach: What Happened?

Twilio, the messaging company that owns Authy, confirmed that hackers gained unauthorized access to mobile phone numbers associated with Authy accounts. The breach affected a staggering 33 million users. The compromised data included phone numbers, which could be exploited for phishing and smishing attacks.

How Did Authy Breach Happen?

The vulnerability stemmed from an unauthenticated endpoint within Twilio’s infrastructure. Threat actors were able to identify data linked to Authy accounts, including phone numbers. Although there’s no evidence that the hackers accessed Twilio’s core systems or sensitive information, the breach underscores the importance of securing API endpoints.

Immediate Action Required

If you’re an Authy user, take the following steps immediately:

  1. Update Your App: Ensure you’re running the latest version of the Authy app on all your devices. Twilio has released security updates to address this vulnerability.
  2. Stay Vigilant: Be cautious about unexpected texts, especially those seemingly from trusted sources like Authy or Twilio. Smishing attacks can mimic legitimate messages, so verify any requests for sensitive information.

What Is Smishing?

Smishing, short for “SMS phishing,” involves tricking users via text messages. Attackers may impersonate legitimate services or organizations to deceive recipients into revealing personal information or clicking malicious links.

Expert Insights

Rachel Tobac, a social engineering expert and CEO of SocialProof Security, emphasizes the need for vigilance. She warns that attackers, armed with a list of user phone numbers, can convincingly pose as Authy or Twilio. Users should exercise heightened awareness when receiving unexpected texts.


As the cybersecurity landscape evolves, staying informed and proactive is crucial. Twilio has taken steps to secure the vulnerable endpoint, but users must remain vigilant. By updating your Authy app and scrutinizing incoming texts, you can protect yourself from potential attacks.

Remember, security is a shared responsibility. Let’s keep our digital lives safe and secure.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment