Hackers Exploit API to Verify Millions of Authy MFA Phone Numbers
Blog/
Breach

Hackers Exploit API to Verify Millions of Authy MFA Phone Numbers

The Authy breach resulted in a CSV file containing 33 million phone numbers.
Austin Ian Davies
Solution Architect
2 mins
July 5, 2024
TABLE OF CONTENTS

In a recent security incident, hackers exploited an unsecured API endpoint to verify millions of phone numbers associated with Authy's multi-factor authentication (MFA) service. This breach resulted in a CSV file containing 33 million phone numbers. The exposed data could facilitate SMS phishing and SIM swapping attacks, posing significant security risks to users. Twilio has since secured the API endpoint and advises Authy users to update their apps and remain vigilant against phishing attempts. 

Hackers Exploited Unsecured API

The data was compiled by feeding a massive list of phone numbers into the API, which would return information about the associated accounts if the number was valid. Although the API has since been secured, the leaked phone numbers can still be used for SMS phishing and SIM-swapping attacks.

This incident echoes previous abuses involving unsecured Twitter and Facebook APIs, where threat actors compiled profiles containing both public and non-public information. In this case, the scraped Authy phone numbers could be cross-referenced with data from other breaches, such as the alleged Gemini and Nexo, to facilitate further attacks.

Breach Resulted in CSV File Containing 33 Million Phone Numbers

The security breach led to the compilation of a CSV file with 33 million phone numbers associated with Authy MFA accounts. Hackers used an unsecured API endpoint to verify these numbers, potentially enabling SMS phishing and SIM swapping attacks. Although the API has since been secured, the leaked data still poses significant risks, highlighting the importance of robust API security measures and prompt user updates.

Security Update: Strongly Recommended Upgrade to Latest Authy Versions

Twilio, the company behind Authy, has released a critical security update for Authy, strongly recommending users upgrade to the latest versions of the Authy Android (v25.1.0) and iOS (v26.1.0) apps, which include important security enhancements. Users must update their apps to protect themselves, although it remains unclear how these updates fully protect users from the potential misuse of the scraped data.

To mitigate risks, users are strongly advised to stay vigilant against phishing attempts and ensure their mobile accounts are protected against unauthorized number transfers. This is a crucial step in protecting yourself in the aftermath of this breach.

The regulatory landscape has grown more complex, demanding faster and more comprehensive responses to vulnerabilities. Effective vulnerability management now hinges on early detection and advanced remediation strategies such as risk-based prioritization, automation, and enhanced team collaboration.

Secure Coding practices are essential for building secure applications from the ground up. Maintaining Code Quality ensures software is robust and maintainable. A Code Review Checklist helps verify coding standards and integrate security at every stage, leading to more reliable software.

Best Practices resources for developers and security engineers include the API Security Checklist and the Complete Guide to DevSecOps Best Practices. These guides provide essential tools and frameworks to enhance application security and implement secure-by-design principles.

Why Product Security Teams choose Aptori

Reduce Risk with Proactive Application Security
Are you in need of an automated API security solution that's a breeze to set up? Aptori is your answer. Aptori effortlessly discovers your APIs, secures your applications, and can be implemented in just minutes.

✅ AI-Powered Risk Assessment and Remediation
Aptori leverages advanced AI to assess risks and automate remediation. This intelligent approach ensures vulnerabilities are identified and fixed swiftly, minimizing your exposure to potential threats.

✅ Seamless SDLC Integration and Lightning-Fast Setup
With Aptori, setting up and conducting application security scans is a breeze. Our solution seamlessly integrates into your SDLC, providing comprehensive security insights and expediting the remediation process, all in a matter of minutes.

Ready to see Aptori in action? Schedule a live demo and witness its capabilities with your Applications. We're excited to connect and showcase how Aptori can transform your security posture!

Experience the full potential of Aptori with a free trial before making your final decision.

Free API Security Assessment
See your Applications through an attacker's eyes.
Free Assessment
TOPICS
No items found.
RELATED POSTS
No items found.
Get started with Aptori today!
The AI-Enabled Autonomous Software Testing Platform for APIs
GEt started
Code, Test, Secure
Unlock the Power of DevOps, Secure Your Code, and Streamline Testing with 'Code, Test, Secure' Newsletter!
Subscribe
LATEST POSTS
Essential Security Headers Every Developer Should Know
CI/CD Security Best Practices
Best practices for implementing Continuous Threat Exposure Management (CTEM)
Continuous Threat Exposure Management (CTEM): The Next Step in Proactive Cyber Defense
Liked what you read?
Check out these posts next
Best Practices
Essential Security Headers Every Developer Should Know
Sep 22, 2024
  
10 mins
Best Practices
CI/CD Security Best Practices
Sep 17, 2024
  
10 mins
Best Practices
Best practices for implementing Continuous Threat Exposure Management (CTEM)
Sep 11, 2024
  
10 mins
Insights
Continuous Threat Exposure Management (CTEM): The Next Step in Proactive Cyber Defense
Sep 6, 2024
  
6 mins
Insights

Featured Posts

See all articles
Insights
Securing GraphQL APIs - A Guide to OWASP GraphQL Security Cheat Sheet
Dive into the essentials of GraphQL security with our comprehensive guide, exploring common attacks and best practices as outlined in the OWASP GraphQL Security
July 1, 2023
Insights
The Importance of Input Validation and Output Encoding in API Security Testing
Input validation prevents malicious or inappropriate data from entering your system.
June 27, 2023
Insights
SAST vs DAST - What’s the Difference and How to Combine the Two
Integrate both SAST and DAST into your development and deployment workflows for optimal application security.
October 2, 2023
Best Practices
Mastering GraphQL Testing - Challenges and Best Practices
Unraveling the complexities of GraphQL testing to ensure a robust and secure API experience.
September 26, 2023

Application Security Learning Center

Application Security Posture Management (ASPM)

Application Security Posture Management

Autonomous Testing - Redefining Software Quality Assurance

Autonomous Testing

Developer-First Security

Developer First Security

Secure Coding - Best Practices to Write Resilient and Robust Code

Secure Coding

Secure by Design

Secure by Design

Shift Left Security Testing

Shift Left Security Testing

Get started with Aptori today!

AI-Powered Risk Assessment and Remediation

Reduce Risk With Proactive Application Security

Get StartedRequest a demo

Need more info? Contact Sales

Aptori
Reduce Risk with Proactive Application Security.

Aptori, your AI teammate, performs static, dynamic, and semantic testing of your software to identify vulnerabilities and suggest solutions, ensuring both security and high quality. At the heart of Aptori lies Semantic Testing, which significantly enhances security testing, triage, and remediation for applications and APIs. By elevating detection and response capabilities, Aptori strengthens the development of secure by design software, dramatically reducing the risk of data breaches.
PLATFORM
Why Aptori
          
RESOURCES
InsightsGuidesGlossaryWhitepaperDocumentation
SOLUTIONS
Application Security TestingAPI Security TestingAPI Risk AssessmentAutomated API Pen TestingPrevent BOLA AttacksAutomated Penetration Testing
NEWSLETTER
Get monthly news and insights in your inbox