Hackers steal millions of Authy 2FA phone numbers
Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy.
Authy is a popular security application to manage authentication codes for apps and online services. These add to the security of sign-ins, as the codes need to be entered in a second stage of authentication.
Here are the key points:
- A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers.
- The list was obtained through an improperly secured API endpoint.
- The attacker fed the API a large number of phone numbers to find out which were known to the Authy system.
- Attackers may use the phone numbers in SMS phishing or SIM swapping attacks.
Twilio, Authy's parent company, confirmed the authenticity of the data and the hack to Bleeping Computer.
The company revealed that it has secured the endpoint used in the attack. It furthermore released an update for Android and iOS as a precaution.
What affected users can do
Authy customers cannot look up if their phone number is included in the leak. There is no direct threat, as threat actors cannot do anything with the phone number alone.
Attacks are, however, possible:
- SMS attacks to get users to share authentication codes or download malware to their devices.
- SIM Swapping attacks, which require additional personal information. These involve the cellular provider of the victim.
The attackers could use online searches or other databases to link phone numbers to their owners.
The data in Authy is secure at this point. This is not the first incident, however. Back in 2022, Twilio confirmed that it suffered a data breach.
If this reminds you of LastPass, a password management service that suffered through a series of hacks and issues in the last couple of years, you are not totally mistaken.
Migrating from Authy to another service
Migration is not straightforward, as Authy does not support exporting. A workaround exists that uses an older version of the desktop app, but it may not work soon anymore as Authy is discontinuing the desktop program.
The only other option is to manually migrate the data. This involves the following steps:
- Sign-in to the service that codes are generated for in Authy.
- Turn off 2FA in the preferences.
- Enable 2FA again, this time using the new authenticator app.
Repeat the steps for any service and delete each of them once the migration completes. This is done by long-tapping on the item in Authy and selecting the remove option.
As far as alternatives are concerned, check out my reviews of the open source authenticator Aegis or Bitwarden Authenticator.
Closing Words
Should you trust a service that suffered through several breaches in the past, or should you move to a service that has not. LastPass customers have faced the same question several times in the past, and it is the same question that Authy customers should ask themselves.
Whether you are migrating or not is up to you. It is inconvenient, thanks to the lack of proper export options.
Do you use authenticator apps? If so, which is your preferred one at the moment?
I never understood the point of having phone number as second factor authentication. Sim swap is a concern. Even bigger is sim loss.
I use authentication key with TOTP codes for all 2FA purposes on every service which provides option for 2FA. No need to worry even if you lost your phone which can happen. Authentication key is saved in password manager notes.
Authy used to have an app for Windows, but discontinued it earlier this year.
It was nice as it synced with the iOS or Android phone app
No I do not, why add a second attack vector?
“We need to cure the problem with knowledge, not treat it with software.”
Keep your damn passwords & authentication codes local! Everybody saving their credentials in the cloud aka on someone elses pc is a fool.
exactly, clown behaviour all around, keepassxc exists as well as multiple other alternatives that you can find on alternativeto dot net for example, yet people will still use insecure proprietary doodoo of apps
I use yubikeys with Yubico Authenticator for the important logs and 1Password for the others. No need to expose phone numbers.
Thanks for the update Martin
“The attacker fed the API a large number of phone numbers to find out which were known to the Authy system.” – Genius, the api basically told him which numbers were valid.
50+ million requests (millions for invalid phone numbers) is not noticed by some sort of mechanism? No logging or metric tracking?
Then again I don’t know how APIs work
OTP Auth on iOS is pretty good. Steve Gibson recommended it years ago and I have never had an issue. I kin like the manual backup feature so I can control backups and keep them where I want them.