Twilio, the company that owns Authy, suffered a data breach
Twilio, the company which owns the popular 2-factor authentication service Authy, has revealed that it has suffered a data breach. An announcement published on its website states that some of its employees fell victim to a phishing attack.
Twilio data breach
According to the report, hackers sent some text messages to current and former employees of the company. The message which originated in the U.S., was spoofed as being sent from Twilio's IT department, asked the users to update their passwords. A link, which accompanied the texts, directed the users to URLs controlled by hackers, who then stole the credentials to gain access to some of the company's internal systems.
The concerning part is that the attackers were able to access certain customer data. Twilio is investigating the attack, and will notify customers who were affected by the data breach. The company has already revoked access to the compromised accounts. It says that it worked with US carriers to shut down the threats, and has taken down the accounts belonging to the attackers on hosting providers that were used for the breach.
The transparency related to the data breach might be appreciated by users, but the company has not clarified what customer data was accessed. Twilio owns several products and services, Authy is just one of those, and is probably the most popular one of the lot. The attack will no doubt raise some eyebrows about the safety of Authy.
Are Authy users safe?
There is no official word whether user data from Authy has been stolen. I have seen a few reports on social media where users are panicking. But, I think it is safe to say that Authy users shouldn't be worried. Why is that?
1. Authy's login system
2. End-to-end encryption
Authy does not have a traditional login system, i.e. a username and a password. Instead, the service uses your phone number as your login ID. Let's say a hacker somehow knows your phone number, they can't associate it with your account's data. Since the TOTP service does not employ a password system, your credentials are not saved on the cloud, i.e. there is no password to be leaked. Authy uses a protection PIN (pass code) which serves as the encryption key to encrypt your data (2FA account tokens) on your device before it is uploaded to the cloud, this is known as end-to-end encryption. The only person who has access to this encryption key, is the user, without this key the data cannot be accessed by anyone, even Authy itself can't get the TOTP codes. Similarly, when you download Authy on a new device, you need to input the pass code to decrypt the data, before using the app for 2FA codes.
This end-to-end encryption is essentially similar to how cloud-based password managers work, for example, Bitwarden. Even if a hacker has managed to breach Authy, your data should theoretically be safe because the contents are encrypted. That's the whole point of encryption.
This is not an official explanation from the company, it's just based on my understanding of how end-to-end encryption works. Of course, it all depends on the proper implementation of the encryption system.
Some of my friends rely on Authy across platforms (iOS, Android), but I moved away from Authy a few years ago, to Aegis because I prefer offline and open source apps. I used this guide for importing the tokens.
Do you use Authy?
Uhh, this has already been possible – I am not sure how but remember my brother telling me about it. I’m not a whatsapp user so not sure of the specifics, but something about sending the image as a file and somehow bypassing the default compression settings that are applied to inbound photos.
He has also used this to share movies to whatsapp groups, and files 1Gb+.
Like I said, I never used whatsapp, but I know 100% this isn’t a “brand new feature”, my brother literally showed me him doing it, like… 5 months ago?
Martin, what happened to those: 12 Comments (https://www.ghacks.net/chatgpt-gets-schooled-by-princeton-university/#comments). Is there a specific justifiable reason why they were deleted?
Hmm, it looks like the gHacks website database is faulty, and not populating threads with their relevant cosponsoring posts.
The page on ghacks this is on represents the best of why it has become so worthless, fill of click-bait junk that it’s about to be deleted from my ‘daily reads’.
It’s really like “Press Release as re-written by some d*ck for clicks…poorly.” And the subjects are laughable. Can’t wait for “How to search for files on Windows”.
> The page on ghacks this is on represents the best of why it has become so worthless, fill of click-bait junk…
Sadly, I have to agree.
Only Martin and Ashwin are worth subscribing to.
Especially Emre Çitak and Shaun are the worst ones.
If ghacks.net intended “Clickbait”, it would mark the end of Ghacks Technology News.
Ghacks doesn’t need crappy clickbaits. Clearly separate articles from newer authors (perhaps AIs and external sales person or external advertising man) as just “Advertisements”!
We, the subscribers of Ghacks, urge Martin to make a decision.
because nevermore wants to “monetize” on every aspect of human life…
“Threads” is like the Walmart of Social Media.
How hard can it be to clone a twitter version of that as well? They’re slow.
Yes, why not mention how large the HD files can be?
Why, not mention what version of WhatsApp is needed?
These omissions make the article feel so bare. If not complete.
Sorry posted on the wrong page.
such a long article for such a simple matter. Worthless article ! waste of time
I already do this by attaching them via the ‘Document’ option.
I don’t know what’s going on here at Ghacks but it’s obvious that something is broken, comments are being mixed whatever the article, I am unable to find some of my later posts neither. :S
Quoting the article,
“As users gain popularity, the value of their tokens may increase, allowing investors to reap rewards.”
Besides, beyond the thrill and privacy risks or not, the point is to know how you gain popularity, be it on social sites as everywhere in life. Is it by being authentic, by remaining faithful to ourselves or is it to have this particular skill which is to understand what a majority likes, just like politicians, those who’d deny to the maximum extent compatible with their ideological partnership, in order to grab as many of the voters they can?
I see the very concept of this Friend.tech as unhealthy, propagating what is already an increasing flaw : the quest for fame. I won’t be the only one to count himself out, definitely.
@John G. is right : my comment was posted on [https://www.ghacks.net/2023/08/23/what-is-friend-tech/] and it appears there but as well here at [https://www.ghacks.net/2023/07/08/how-to-follow-everyone-on-threads/]
This has been lasting for several days. Fix it or at least provide some explanations if you don’t mind.
> Google Chrome is following in Safari’s footsteps by introducing a new feature that allows users to move the Chrome address bar to the bottom of the screen, enhancing user accessibility and interaction.
Firefox did this long before Safari.
Basically they’ll do anything except fair royalties.