Unsecured Authy MFA API Exploited For Malicious Phone Number Verification

Reportedly, criminal hackers exploited an unsecured Authy (an MFA app) API to verify phone numbers falsely. This activity makes the phone numbers of millions of users vulnerable to cyber threats.

Unsecured Authy API Exploited In Recent Attacks

Twilio, the parent firm behind the popular MFA app Authy, recently disclosed a security incident affecting its app. As explained in its security update, Twilio detected malicious abuse of the app to falsely verify millions of phone numbers.

Specifically, the yet-unknown hackers abused an unsecured Authy API endpoint to obtain users’ data related to Authy, including their phone numbers. Twilio explains that hackers may use this data to target users with malicious activities like SMS phishing and SIM swapping attacks.

While the hackers accessed users’ data, Twilio confirmed having no impact on the Authy app’s structure. Nor is there any infiltration with Authy accounts. Instead, the breach happened merely because of the unsecured endpoint that allowed unauthenticated requests.

Nonetheless, upon detecting this issue, Twilio protected the exposed API and addressed the issue. Consequently, it asks all users to update their Authy apps with the latest versions. The firm has released the update with Authy Android v25.1.0 and iOS App v26.1.0, available on the Google Play Store and Apple App Store, respectively.

Besides, the firm also asked users who may be having trouble accessing their Authy accounts to contact Twilio support for assistance.

While Twilio didn’t mention anything about the attackers’ identity, according to Bleeping Computer, the notorious ShinyHunters hacker group dumped a CSV text file of 33 million phone numbers on a dark web forum in June 2024. The poster claimed these numbers to have been registered with Authy. Bleeping Computer elaborated that the attackers fed a list of phone numbers to the unsecured Authy API endpoint to gather information about the accounts linked to the registered numbers.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients