Twilio issued a social engineering attack warning to Authy users after the ShinyHunters gang posted 33 million records for sale on the dark web.
The popular two-factor authentication tool Authy is associated with phone numbers that belong to threat actors, as the communications provider Twilio has alerted its users.
Threat actors were able to identify information linked to Authy accounts, including phone numbers, the company stated in a security advisory, alerting customers to the possibility that they could be the victim of future social engineering attempts utilizing this information.
When the ShinyHunters group uploaded a CSV file on BreachForums that purported to include 33 million phone numbers connected to Authy, the first breach was made public in late June.
Account IDs, account status, and device count are reportedly included in the data.
Twilio disclosed that an unauthenticated API endpoint was the source of the incident, which it has since shut down to stop more unauthenticated queries.
While the statement did not provide any evidence that the hackers were able to access the company’s other internal systems or data, it did advise Authy users to take preventative steps, such as updating their mobile software with the most recent security patches and being on the lookout for social engineering scams.
Threat actors may attempt to utilize the phone number linked to Authy accounts for phishing and smishing attacks, even though Authy accounts are not compromised. As such, we advise all Authy users to exercise caution and pay close attention to any texts they receive.
It is necessary for Twilio users to take additional precautions against SIM swapping attacks.
Speaking about the incident, resident hacker Jason Kent of Cequence, an API security expert, noted that it follows a typical pattern and emphasizes the significance of securing API endpoints with sufficient authentication and authorization layers.
Twilio is next on the scene as the go-to script for breaches in the API era. We have repeatedly demonstrated that authentication and permission are necessary for an API endpoint that receives data and returns responses from it, otherwise misuse of the endpoint would occur.
According to Kent, this was an interesting situation because the attackers appeared to be going backwards with usual operating procedure.
This is an intriguing example because it begins in an unexpected place. The phone number of the device is crucial to the Authy service when you connect it. Their systems are clearly interested in this number, as evidenced by the large number of endpoints that accept it. If the number is not present, there probably is a mistake. He said, “If the number is real, there’s either no inaccuracy or some other method of knowing.
Therefore, in order to take over an account that uses Authy’s MFA, I must find out the phone number that was used to register the account and switch SIM cards to receive the MFA code delivered to the new phone. Since the MFA service provider was able to verify the numbers beforehand in this reverse attack, the SIM swapping attacks can now start.
According to Kent, it’s still unclear whether the records ShinyHunter is claiming to be selling have actually been purchased. As a result, he advises impacted customers to take further precautions to ensure they are not the target of a SIM switch attempt.
Although Twilio has recently added authentication to the disputed endpoint, it is still unclear who has purchased the 33 million records lost in the data dump,” Kent noted.
“Any service using Authy as its MFA should take additional steps to ensure a SIM swap wasn’t recently completed on the account and ensure the end user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t,” reads a warning to Authy users. “Your account’s MFA service may be compromised.”