- Users of the Twilio Authy Authenticator app may have had their phone number exposed to hackers.
- While the leak exposed personally identifiable information, it did not directly compromise accounts.
- Twilio has since secured its system, but warns the information exposed could be used for phishing.
Security is not something any of us get to ignore, and with so much of our lives tied to various accounts and services, protecting that access is critical. Users interested in making things as difficult as possible for hackers often look for login options that support two-factor authentication, preventing bad actors from messing with your data using a stolen password alone. Of course, that makes 2FA solutions themselves a prime target, and that’s just what Twilio has been dealing with recently, as an API vulnerability exposed some Authy user data.
Authy is one of the more popular 2FA apps around, competing with the likes of Google’s own Authenticator. BleepingComputer reports that just about a week ago, hackers shared a data set consisting of some 33 million entries, connecting account IDs to user phone numbers. Twilio confirmed to the site that this data was scraped by way of a hacker connecting to a previously unsecured API endpoint — essentially, they could just run through a list of every possible phone number, and if one of them was associated with a registered Authy user, the API would respond with the linked account info.