MFA app Authy: Countless phone numbers tapped via unsecured API
After criminals leaked a CSV file with telephone numbers of allegedly 33 million Authy users, there is a threat of SMS phishing attacks, among other things.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Twilio has reported that attackers have accessed data from Authy accounts. This is said to include the phone numbers of those affected. The attackers, who appear online as ShinyHunters, have apparently used an unsecured API endpoint for a scraping attack.
According to Twilio's official announcement, there is no indication that the attackers have gained access to other sensitive data or the internal backend systems.
Update of the app and risk of SMS phishing
In the announcement, Twilio asks all users to use the latest update of the Authy app for Android and iOS. Authy is an application that generates codes for logging in via multi-factor authentication (MFA). Twilio discontinued the desktop version in February 2024. As the attack took place in Twilio's backend, the question arises as to how the app updates protect users.
Anyone using the app should at least be prepared for potential SMS phishing attacks, which can be used to access additional information. SIM swapping attacks are conceivable as a result - in Germany, however, the threat is very manageable. The fraudsters pretend to be the subscriber at the mobile operator and report the phone and SIM card as stolen in order to obtain a new SIM card with the relevant number.
Attackers publish sample data
The security news portal Bleeping Computer provides further details of the attack. According to it, a group calling itself ShinyHunters has published a CSV text file with a good 33 million data records. In addition to the account IDs and phone numbers, they contain information about the status of the account (account_status), the number of devices (device_count) and probably information about whether devices are locked (device_lock).
(Image: Bleeping Computer)
According to Bleeping Computer, the attackers sent countless phone numbers to the unsecured API endpoint. For numbers that were contained in the Authy user database, the endpoint returned information on the respective data set.
Even if no sensitive information such as credit card numbers is contained in the published data, the attackers at least have confirmation that a telephone number is registered with Authy thanks to the feedback from the API.
A look in the rear-view mirror
The incident is reminiscent of some earlier events: in 2019 , attackers published over 400 million phone numbers of Facebook users (now Meta). In early 2024, attackers had also misused a public Trello API to link email addresses with data from Trello profiles.
Twilio was in the spotlight at the end of 2022 following a phishing attack on employees, as a result of which attackers gained access to customer data. Users of the messenger Signal were also affected by the attack.
(rme)
