Final week, a hacker claimed to have stolen 33 million cellphone numbers from U.S. messaging big Twilio. On Tuesday, Twilio confirmed to TechCrunch that “risk actors” have been in a position to determine the cellphone quantity of people that use Authy, a well-liked two-factor authentication app owned by Twilio.
In a publish on a widely known hacking discussion board, the hacker or hackers often called ShinyHunters wrote that they hacked Twilio and obtained the cellular phone numbers of 33 million customers.
Twilio spokesperson Kari Ramirez instructed TechCrunch that the corporate “has detected that risk actors have been in a position to determine information related to Authy accounts, together with cellphone numbers, as a result of an unauthenticated endpoint. We now have taken motion to safe this endpoint and now not permit unauthenticated requests.”
“We now have seen no proof that the risk actors obtained entry to Twilio’s methods or different delicate information. As a precaution, we’re requesting all Authy customers to replace to the most recent Android and iOS apps for the most recent safety updates and encourage all Authy customers to remain diligent and have heightened consciousness round phishing and smishing assaults,” Ramirez wrote in an electronic mail.
Twilio additionally printed an alert on its official web site on Monday, together with the identical assertion.
Whereas acquiring an inventory of cellphone numbers — by itself — might not look like essentially the most harmful of knowledge breaches, it may nonetheless pose a risk to the house owners of these numbers.
“If attackers are in a position to enumerate an inventory of person’s cellphone numbers, then these attackers can faux to be Authy/Twilio to these customers, rising the believability in a phishing assault to that cellphone quantity,” Rachel Tobac, an professional in social engineering and CEO of SocialProof Safety, instructed TechCrunch.
Tobac defined that now hackers can particularly goal individuals who they know are Authy customers, giving the attackers an opportunity to make it appear to be their malicious messages actually come from Authy and Twilio.
In 2022, Twilio suffered a bigger information breach, when a gaggle of hackers accessed the info of greater than 100 firm clients. Armed with that data, the hackers then launched a wide-ranging phishing marketing campaign which resulted within the theft of round 10,000 worker credentials from no less than 130 corporations. As a part of that breach on the time, Twilio stated hackers efficiently focused 93 particular person Authy customers and have been in a position to register extra gadgets on these victims’ Authy accounts, permitting them to successfully steal actual two-factor codes.