More From Forbes

Edit Story

Up To 33 Million Authy User Cell Phone Numbers Exposed

Updated Jul 5, 2024, 03:19pm EDT

Authy, the app used by many people for two-factor authentication (2FA), has issued a warning after attackers stole up to 33 million phone numbers.

The attack via an unsecured API endpoint allowed adversaries to verify the phone numbers of millions of Authy multi-factor authentication (MFA) users. As a result, Authy users could now be vulnerable to SMS phishing and SIM swapping attacks.

In late June, an adversary dubbed ShinyHunters leaked a CSV text file, claiming that it contained 33 million phone numbers registered with the Authy service, Bleeping Computer reports.

The CSV file contains 33,420,546 rows, each with an account ID, phone number, an "over_the_top" column, account status and device count, the site reported.

Now, Authy has admitted it was attacked in a blog. The firm was attacked twice during 2022, but said the latest incident is not linked to the previous incidents.

Authy owner Twilio sent me a statement over email, which reads: “Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

Twilio says it has “seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data,” but Authy is “requesting all Authy users to update to the latest Android and iOS apps for the latest security updates.”

It is also and encouraging all Authy users to “stay diligent and have heightened awareness around phishing and smishing attacks.”

What To Do

It goes without saying that if, like me, you are an Authy user, you need to be careful of any texts claiming to be from the firm.

Since the incident has leaked phone numbers, the biggest risk for users will be targeted phishing type attacks, says Sean Wright, head of application security at Featurespace. While many may be concerned about attackers having access to their accounts, he says that is “highly unlikely since the attackers will need to be able to obtain the seeds for the MFA tokens stored in Authy.”

Wright recommends that users remain vigilant, and “be very wary of any messages you receive from unknown senders.”

He says this is especially important for messages “that appear to have a sense of urgency or are warning of financial loss if no action is taken.”

You could also look to move to another MFA application as a replacement for Authy—or use the even more secure option of hardware keys, such as the Yubico YubiKey, Wright says.

If you find you can’t access your Authy account, the firm recommends immediately contacting Authy support. “One of our specialists will respond to your request, and work with you to get your Authy account back up and running again.”

And of course, as Authy recommends, it’s a good idea to update your iOS or Android app now, to fix any security issues that could be a problem.

Follow me on Twitter or LinkedIn

Join The Conversation


One Community. Many Voices. Create a free account to share your thoughts. 

Read our community guidelines .

Forbes Community Guidelines

Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.

In order to do so, please follow the posting rules in our site's Terms of Service.  We've summarized some of those key rules below. Simply put, keep it civil.

Your post will be rejected if we notice that it seems to contain:

  • False or intentionally out-of-context or misleading information
  • Spam
  • Insults, profanity, incoherent, obscene or inflammatory language or threats of any kind
  • Attacks on the identity of other commenters or the article's author
  • Content that otherwise violates our site's terms.

User accounts will be blocked if we notice or believe that users are engaged in:

  • Continuous attempts to re-post comments that have been previously moderated/rejected
  • Racist, sexist, homophobic or other discriminatory comments
  • Attempts or tactics that put the site security at risk
  • Actions that otherwise violate our site's terms.

So, how can you be a power user?

  • Stay on topic and share your insights
  • Feel free to be clear and thoughtful to get your point across
  • ‘Like’ or ‘Dislike’ to show your point of view.
  • Protect your community.
  • Use the report tool to alert us when someone breaks the rules.

Thanks for reading our community guidelines. Please read the full list of posting rules found in our site's Terms of Service.