Hackers steal millions of Authy 2FA phone numbers

Martin Brinkmann
Jul 4, 2024
Updated • Jul 4, 2024
Security
|
9

Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy.

Authy is a popular security application to manage authentication codes for apps and online services. These add to the security of sign-ins, as the codes need to be entered in a second stage of authentication.

Here are the key points:

  • A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers.
  • The list was obtained through an improperly secured API endpoint.
  • The attacker fed the API a large number of phone numbers to find out which were known to the Authy system.
  • Attackers may use the phone numbers in SMS phishing or SIM swapping attacks.

Twilio, Authy's parent company, confirmed the authenticity of the data and the hack to Bleeping Computer.

The company revealed that it has secured the endpoint used in the attack. It furthermore released an update for Android and iOS as a precaution.

What affected users can do

Authy customers cannot look up if their phone number is included in the leak. There is no direct threat, as threat actors cannot do anything with the phone number alone.

Attacks are, however, possible:

  • SMS attacks to get users to share authentication codes or download malware to their devices.
  • SIM Swapping attacks, which require additional personal information. These involve the cellular provider of the victim.

The attackers could use online searches or other databases to link phone numbers to their owners.

The data in Authy is secure at this point. This is not the first incident, however. Back in 2022, Twilio confirmed that it suffered a data breach.

If this reminds you of LastPass, a password management service that suffered through a series of hacks and issues in the last couple of years, you are not totally mistaken.

Migrating from Authy to another service

Migration is not straightforward, as Authy does not support exporting. A workaround exists that uses an older version of the desktop app, but it may not work soon anymore as Authy is discontinuing the desktop program.

The only other option is to manually migrate the data. This involves the following steps:

  • Sign-in to the service that codes are generated for in Authy.
  • Turn off 2FA in the preferences.
  • Enable 2FA again, this time using the new authenticator app.

Repeat the steps for any service and delete each of them once the migration completes. This is done by long-tapping on the item in Authy and selecting the remove option.

As far as alternatives are concerned, check out my reviews of the open source authenticator Aegis or Bitwarden Authenticator.

Closing Words

Should you trust a service that suffered through several breaches in the past, or should you move to a service that has not. LastPass customers have faced the same question several times in the past, and it is the same question that Authy customers should ask themselves.

Whether you are migrating or not is up to you. It is inconvenient, thanks to the lack of proper export options.

Do you use authenticator apps? If so, which is your preferred one at the moment?

Summary
Hackers steal millions of Authy 2FA phone numbers
Article Name
Hackers steal millions of Authy 2FA phone numbers
Description
Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «

Comments

  1. Yash said on July 5, 2024 at 10:14 am
    Reply

    I never understood the point of having phone number as second factor authentication. Sim swap is a concern. Even bigger is sim loss.

    I use authentication key with TOTP codes for all 2FA purposes on every service which provides option for 2FA. No need to worry even if you lost your phone which can happen. Authentication key is saved in password manager notes.

  2. Davin Patrick Peterson said on July 5, 2024 at 3:16 am
    Reply

    Authy used to have an app for Windows, but discontinued it earlier this year.
    It was nice as it synced with the iOS or Android phone app

  3. Tachy said on July 4, 2024 at 4:47 pm
    Reply

    No I do not, why add a second attack vector?

    “We need to cure the problem with knowledge, not treat it with software.”

  4. George said on July 4, 2024 at 4:21 pm
    Reply

    Keep your damn passwords & authentication codes local! Everybody saving their credentials in the cloud aka on someone elses pc is a fool.

    1. Anonymous said on July 9, 2024 at 11:56 am
      Reply

      exactly, clown behaviour all around, keepassxc exists as well as multiple other alternatives that you can find on alternativeto dot net for example, yet people will still use insecure proprietary doodoo of apps

  5. LB said on July 4, 2024 at 2:35 pm
    Reply

    I use yubikeys with Yubico Authenticator for the important logs and 1Password for the others. No need to expose phone numbers.

  6. Thomas said on July 4, 2024 at 1:59 pm
    Reply

    Thanks for the update Martin

  7. bruh said on July 4, 2024 at 11:54 am
    Reply

    “The attacker fed the API a large number of phone numbers to find out which were known to the Authy system.” – Genius, the api basically told him which numbers were valid.

    50+ million requests (millions for invalid phone numbers) is not noticed by some sort of mechanism? No logging or metric tracking?

    Then again I don’t know how APIs work

  8. Ken said on July 4, 2024 at 8:49 am
    Reply

    OTP Auth on iOS is pretty good. Steve Gibson recommended it years ago and I have never had an issue. I kin like the manual backup feature so I can control backups and keep them where I want them.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.