Hackers Exploit API to Verify Millions of Authy MFA Phone Numbers
Blog/
Breach

Hackers Exploit API to Verify Millions of Authy MFA Phone Numbers

The Authy breach resulted in a CSV file containing 33 million phone numbers.
TABLE OF CONTENTS

In a recent security incident, hackers exploited an unsecured API endpoint to verify millions of phone numbers associated with Authy's multi-factor authentication (MFA) service. This breach resulted in a CSV file containing 33 million phone numbers. The exposed data could facilitate SMS phishing and SIM swapping attacks, posing significant security risks to users. Twilio has since secured the API endpoint and advises Authy users to update their apps and remain vigilant against phishing attempts. 

Hackers Exploited Unsecured API

The data was compiled by feeding a massive list of phone numbers into the API, which would return information about the associated accounts if the number was valid. Although the API has since been secured, the leaked phone numbers can still be used for SMS phishing and SIM-swapping attacks.

This incident echoes previous abuses involving unsecured Twitter and Facebook APIs, where threat actors compiled profiles containing both public and non-public information. In this case, the scraped Authy phone numbers could be cross-referenced with data from other breaches, such as the alleged Gemini and Nexo, to facilitate further attacks.

Breach Resulted in CSV File Containing 33 Million Phone Numbers

The security breach led to the compilation of a CSV file with 33 million phone numbers associated with Authy MFA accounts. Hackers used an unsecured API endpoint to verify these numbers, potentially enabling SMS phishing and SIM swapping attacks. Although the API has since been secured, the leaked data still poses significant risks, highlighting the importance of robust API security measures and prompt user updates.

Security Update: Strongly Recommended Upgrade to Latest Authy Versions

Twilio, the company behind Authy, has released a critical security update for Authy, strongly recommending users upgrade to the latest versions of the Authy Android (v25.1.0) and iOS (v26.1.0) apps, which include important security enhancements. Users must update their apps to protect themselves, although it remains unclear how these updates fully protect users from the potential misuse of the scraped data.

To mitigate risks, users are strongly advised to stay vigilant against phishing attempts and ensure their mobile accounts are protected against unauthorized number transfers. This is a crucial step in protecting yourself in the aftermath of this breach.

The regulatory landscape has grown more complex, demanding faster and more comprehensive responses to vulnerabilities. Effective vulnerability management now hinges on early detection and advanced remediation strategies such as risk-based prioritization, automation, and enhanced team collaboration.

Secure Coding
practices are essential for building secure applications from the ground up. Maintaining Code Quality ensures software is robust and maintainable. A Code Review Checklist helps verify coding standards and integrate security at every stage, leading to more reliable software.

Best Practices
resources for developers and security engineers include the API Security Checklist and the Complete Guide to DevSecOps Best Practices. These guides provide essential tools and frameworks to enhance application security and implement secure-by-design principles.

Why Product Security Teams choose Aptori

Reduce Risk with Proactive Application Security
Are you in need of an automated API security solution that's a breeze to set up? Aptori is your answer. Aptori effortlessly discovers your APIs, secures your applications, and can be implemented in just minutes.

✅ AI-Powered Risk Assessment and Remediation
Aptori leverages advanced AI to assess risks and automate remediation. This intelligent approach ensures vulnerabilities are identified and fixed swiftly, minimizing your exposure to potential threats.

✅ Seamless SDLC Integration and Lightning-Fast Setup
With Aptori, setting up and conducting application security scans is a breeze. Our solution seamlessly integrates into your SDLC, providing comprehensive security insights and expediting the remediation process, all in a matter of minutes.

Ready to see Aptori in action? Schedule a live demo and witness its capabilities with your Applications. We're excited to connect and showcase how Aptori can transform your security posture!

Experience the full potential of Aptori with a free trial before making your final decision.

Free API Security Assessment
See your Applications through an attacker's eyes.
Free Assessment
TOPICS
No items found.
RELATED POSTS
No items found.
Get started with Aptori today!
The AI-Enabled Autonomous Software Testing Platform for APIs
GEt started
Code, Test, Secure
Unlock the Power of DevOps, Secure Your Code, and Streamline Testing with 'Code, Test, Secure' Newsletter!
Subscribe

Get started with Aptori today!

AI-Powered Risk Assessment and Remediation

Reduce Risk With Proactive Application Security

Need more info? Contact Sales