Twilio's Authy, a popular multi-factor authentication (MFA) app, has fallen victim to a significant security breach. Hackers exploited an unsecured API endpoint to verify and compile a list of 33 million phone numbers associated with Authy accounts[1]. The breach was revealed when a threat actor named ShinyHunters leaked a CSV file containing 33,420,546 rows of data, including account IDs, phone numbers, account statuses, and device counts[1]. Twilio confirmed that this data was obtained through an unauthenticated API endpoint, which has since been secured[1]. While no sensitive data like passwords were compromised, this breach poses potential risks for Authy users. The exposed phone numbers could be used for SMS phishing (smishing) attacks or SIM swapping attempts, particularly if cross-referenced with data from other breaches[1]. In response, Twilio has released security updates for both Android (v25.1.0) and iOS (v26.1.0) Authy apps. Users are strongly advised to update their apps and remain vigilant against potential phishing attempts[1]. To protect yourself: 1. Update your Authy app immediately 2. Be wary of suspicious SMS messages 3. Secure your mobile account against unauthorized number transfers 4. Consider using alternative MFA methods where possible This incident serves as a stark reminder of the importance of API security and the potential consequences of leaving endpoints unsecured[1]. Sources [1] Hackers abused API to verify millions of Authy MFA phone numbers https://lnkd.in/guQ8mMkh
Peter Makohon’s Post
More Relevant Posts
-
Passwords are a problem. 89% of organizations experienced some form of phishing attack in the past year. The future of password is password-less. Passkeys are a new way to sign in to apps and websites. Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. 1. Passkeys are secure. This is because passkeys are, in essence, password-less. Instead of typing in your username and password, Passkeys let you authenticate yourself into websites and apps using any form of device-based user verification such as biometrics (Face ID, fingerprint) or PIN. Your biometrics never leave your device and it cannot be decrypted anywhere except on your phone. 2. Passkeys prevent phishing attacks. With Passkeys, users cannot be tricked into entering their credentials on misleading sites/apps . Passkeys are bound to an app's identity as determined by the operating system/browser on the device that determines exactly which app or website can access a stored passkey. 3. Passkeys are resilient to data breaches. Generating a passkey requires generating a public-private key pair on the user's device. The public key is sent to the app, and the private key is stored only on the user's device. Even if the website or app's servers are breached, attackers gain access only to the public key, which by itself is not useful to access the users' account/data without having access to the users' physical device. 4. Passkeys are device-independent. Because passkeys are generated and stored on a user's device, that doesn't mean they cannot be used to login to the apps on other devices. You can login to an app on a computer using a passkey stored on your phone as long as you have the phone with you. By scanning a code from the camera of your phone, you will approve the sign-in and authorize the app to log you in on the computer. What if you have multiple personal devices or lose your personal device? Most popular password managers such as Google Password Manager, iCloud Keychain, 1Password encrypt and store your passkeys on the cloud so you can sync and restore your passkeys on any device. 5. Passkeys are federated. They are built on (Fast IDentity Online) FIDO Standards, so they can be implemented on any operating system or browser. So where can you use Passkeys? Several popular apps and sites such as Google, Paypal, Adobe, Shop already support Passkeys. Several others such as Microsoft, X(Twitter), LinkedIn, WhatsApp will support it soon. If you use a Password manager such as 1Password, your Watchtower will suggest all the stored accounts that already support Passkey.
Passkeys (Passkey Authentication)
fidoalliance.org
To view or add a comment, sign in
-
🚨 𝗠𝗮𝗷𝗼𝗿 𝗔𝗣𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝗿𝗲𝗮𝗰𝗵 🚨 Twilio has disclosed a breach where an unsecured API endpoint allowed hackers to verify millions of Authy MFA phone numbers. This vulnerability has exposed 33 million phone numbers, making users susceptible to SMS phishing and SIM swapping attacks. 𝗞𝗲𝘆 𝗣𝗼𝗶𝗻𝘁𝘀: • Exposure Details: An unauthenticated API endpoint was used to compile a CSV with account IDs, phone numbers, and device counts. • Immediate Actions: Twilio has secured the endpoint and urges users to update to the latest Authy versions (Android v25.1.0, iOS v26.1.0) and remain vigilant against phishing. • Security Recommendations: Ensure mobile accounts block number transfers without a passcode and be alert for SMS phishing attempts. 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝗰𝗲 𝗼𝗳 𝗔𝗣𝗜 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁: This breach underscores the critical need for organizations to maintain a comprehensive API inventory. It’s vital to have full knowledge of all APIs, including shadow APIs, and to ensure that all endpoints have appropriate authentication measures in place. Read more about the breach and necessary precautions: https://lnkd.in/d52VkQvB #CyberSecurity #DataBreach #MFA #Twilio #Authy #APIManagement #SecurityUpdate #SIMSwapping #Phishing #TechNews #InfoSec #API #MobileSecurity #Authentication #HackingNews #DataProtection #APISecurity —————- 🚀 🤖 Subscribe to my new Newsletter BYTE ME! and cut through the noise of GenAI, Cyber Security and what’s in between 🔗 https://lnkd.in/dNSWNy-C
Hackers abused API to verify millions of Authy MFA phone numbers
bleepingcomputer.com
To view or add a comment, sign in
-
Experienced Business Development & Account Management Leader 🔹 Extensive Telecom Industry Experience 🔹 Passionate about Empowering & Leading Growth-Oriented Teams 🔹 Constantly Delivering Improved Financial Performance
Here are the top 9 mobile security threats and the best strategies to protect yourself 👇 1️⃣ Phishing, Smishing, and Vishing Cybercriminals use phishing to trick you into revealing personal details through fake messages, which may also install malware on your phone. Smishing and vishing, their SMS and voice call counterparts, respectively, are similarly deceitful, using texts and voice messages to lure you into their traps. Defense: Always verify the legitimacy of links in emails and texts. Handle unexpected calls with caution and verify their authenticity before providing any personal information. 2️⃣ Physical Security Physical access to your device can lead to direct data breaches. Defense: Use strong passwords or biometrics like fingerprint or facial recognition to lock your phone, making it harder for thieves to access your data. 3️⃣ SIM Hijacking This occurs when a thief uses your personal information to convince your telecom provider to switch your number to a new SIM card, gaining control over your mobile identity. Defense: Limit how much personal information you share online and add extra security measures with your provider to prevent unauthorized SIM swaps. 4️⃣ Malicious Apps From nuisanceware that bombards you with ads to apps that covertly mine cryptocurrency, malicious software can be hidden in seemingly harmless applications. Defense: Only download apps from trusted app stores and pay close attention to the permissions apps request. 5️⃣ Open Wi-Fi Risks Public Wi-Fi can expose you to attacks, such as Man-in-The-Middle (MiTM) attacks, where hackers intercept the data sent from your device. Defense: Avoid using public Wi-Fi for sensitive transactions. Consider using a VPN for enhanced security. 6️⃣ Surveillance and Stalkerware These tools can track everything from your location to your private messages, often used inappropriately to spy on users without their consent. Defense: Regularly check for unfamiliar apps and high data usage, which can indicate the presence of spyware. 7️⃣ Ransomware This type of malware locks you out of your phone and demands payment for access. Defense: Keep your operating system updated and back up your data regularly, so you can restore your phone if it gets attacked. 8️⃣ Trojans and Financial Malware Trojans disguise themselves as legitimate apps but steal your financial information once installed. Defense: Update your phone regularly and download apps only from official sources. Be wary of granting apps access to your financial data. 9️⃣ Mobile Device Management (MDM) Exploits If your workplace uses MDM to manage mobile devices, a compromise in this system could put your data at risk. Defense: Follow best practices for security on both personal and work devices, and keep personal information separate from work devices. By staying aware and taking proactive steps, you can protect your smartphone from these common threats. Remember, maintaining security is an ongoing process.
To view or add a comment, sign in
-
-
Hackers abused API to verify millions of Authy MFA phone numbers - Hackers exploited a vulnerability in Twilio's API to verify millions of Authy users' phone numbers. - This information could be used for SMS phishing and SIM swapping attacks to steal accounts. - The data breach involved an unauthenticated API endpoint that allowed hackers to check if a phone number was registered with Authy. - Twilio has secured the API and recommends updating the Authy app to the latest version. - They also advise users to be vigilant against phishing attacks and enable additional security features on their mobile accounts. - It's important to note that this data breach seems separate from another recent incident where a third-party vendor exposed Twilio users' SMS data. #CyberSecurity https://lnkd.in/g5YSRRkU
Hackers abused API to verify millions of Authy MFA phone numbers
bleepingcomputer.com
To view or add a comment, sign in
-
Attorney-Owner of Summit Business Law, LLC, Des Moines, Iowa | US Army Veteran | Privacy, Cybersecurity & AI | Risk Management | Technology and Law | Small Businesses | Veteran-Owned Businesses
In a recent attack, the #ShinyHunters group claimed to have captured 33 million phone numbers used as part of the #Authy MFA service platform through an unsecured API endpoint. Such a compromise could leave Authy users vulnerable to SIM swapping and #smishing attacks. Authy users should update their apps to the newest versions and be vigilant for possible attacks using their information. Happy Monday everyone. 😉 From the article: '"Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests," Twilio told BleepingComputer. "We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.'" #cybersecurity #authy #twilio #mfa #smishing #simswapping
Hackers abused API to verify millions of Authy MFA phone numbers
bleepingcomputer.com
To view or add a comment, sign in
-
SUMMARY: A Twilio API flaw let hackers verify millions of Authy MFA phone numbers, raising risks of phishing and SIM swapping attacks. MAIN POINTS: - Twilio's unsecured API endpoint exposed millions of Authy users' phone numbers. - Threat actors leaked 33 million Authy phone numbers online. - Twilio has secured the API and advised users to update their apps for protection. TAKEAWAYS: - API vulnerabilities can lead to severe data exposure and security risks. - Updating software and vigilance against phishing are crucial for security. - Companies should ensure APIs are secure to protect user data. #cybersecuritynews #cybersecurity #mfa #api
Hackers abused API to verify millions of Authy MFA phone numbers
bleepingcomputer.com
To view or add a comment, sign in
-
Essential SMS Security Best Practices for Everyone Introduction: In our interconnected world, SMS (Short Message Service) remains a key communication tool, not just for personal chats but also for business transactions, notifications, and authentication processes. However, this widespread use also makes SMS a target for scammers and hackers. This blog post will outline essential best practices to enhance your SMS security and protect your personal information. **Understanding the Risks:** Before diving into the best practices, it's crucial to understand the risks associated with SMS. These can include phishing attempts, smishing (SMS phishing), spoofing, and various scams aimed at stealing personal information or money. **Best Practices for SMS Security:** 1. **Be Cautious with Unknown Numbers:** Treat messages from unknown numbers with skepticism, especially if they ask for personal information, money, or prompt you to click on a link. 2. **Don't Share Sensitive Information:** Never share personal details like passwords, bank account numbers, or social security numbers over SMS. Legitimate organizations will not ask for this information via text. 3. **Enable Two-Factor Authentication (2FA):** Where possible, use 2FA for an extra layer of security. Prefer app-based or hardware token 2FA over SMS when available. 4. **Regularly Update Your Phone:** Ensure that your operating system and all applications are up to date to benefit from the latest security patches. 5. **Use Secure Messaging Apps:** Consider using encrypted messaging apps for sensitive communications. These apps offer better security and privacy than standard SMS. 6. **Educate Yourself and Others:** Stay informed about the latest SMS scams and share this knowledge with friends and family. Awareness is a powerful tool against scams. 7. **Report Suspicious Messages:** If you receive a message that seems like a scam, report it to your carrier or the appropriate authorities. Your action can help prevent others from falling victim. 8. **Regularly Review Your Messages:** Periodically check your messages for any unusual activity. If you notice anything suspicious, take immediate action. **Conclusion:** While SMS is a convenient communication tool, its security is not foolproof. By following these best practices, you can significantly reduce your risk of falling victim to SMS-related scams and protect your sensitive information. Stay vigilant, stay informed, and prioritize your digital security. **Remember**: In the realm of SMS, a little caution goes a long way! --- Blog post generated by AI, but still very useful!
To view or add a comment, sign in
-
Cybersecurity || Founder SupremeLP || Technical Writing || Corporate Law || Cyber Law || Data Protection
Online Security: The Role of Two-factor Authentication The rate of hacking and overtaking peoples media accounts by cyber criminals is alarming and almost everyone has experienced such or at least, knows someone whose account have been hacked. The model employed by cyber criminals in cyber attacks has proven that strong passwords are not 100% foolproof. Hence, there's the need for another layer of security to deter cyber criminals. One of the methods is Two-factor authentication. This is sometimes referred to as 2-step verification, dual-factor authentication or two-step verification but in general, it's popularly called two-factor authentication (2FA). It is a form of additional layer of security. 2FA adds an extra layer of protection to your accounts, making them virtually "hacker-proof" If this authentication is enabled, even if a hacker knows your password and username, they still can't log in to your account without the second password or authentication key or credentials. Benefits of Two-factor Authentication Password Attacks: Passwords may be compromised via phishing attacks, brute force attacks, or social engineering. 2FA helps to provide an additional layer of protection that makes it more difficult for attackers to gain access to your account even if they have your password details at hand. Integrity: By using 2FA, you can have confidence in the integrity of your data knowing that your accounts are more secure and less likely to be compromised. This can be vital if you have sensitive or valuable information stored on your accounts. Compliance: Some industries or organisations code of conduct or regulations may state some compliance requirements that mandate the use of 2FA for certain types of accounts operation or data handling. Categories of Two-factor authentication Text-based 2FA: When you use 2FA-enabled login processes, you will enter your username and password on the browser and then receive a text message with a verification code on your phoneb to finish the login process. example the OTP code. Biometric-based 2FA: This authentication requires facial scan, fingerprints or voice commands. This process involves something unique about you to acquire access to your account. Now, let's check out the best practices of 2FA Cautious in Adopting Two-factor Authentication In adopting 2FA, some measures must be considered. They are; Don’t use Common Details about you such as your personal phone number, middle name, date of birth, pets name or number of children. for SMS-based 2FA authentication Repetition of the same method of 2FA across all account platforms is dangerous. While some can be text based, others can be biometrics, secrete personal questions etc. Enable 2FA to take control of your online security today. Did you learn anything new? #CyberSecurity #OnlinePrivacy #Dataprotection #TwoFactorAuthentication #Cyberthreats #Biometricsecurity #DigitalSecurity #InfoSec #IdentityProtection
To view or add a comment, sign in
-
-
Cybersecurity Insight: How SIM Swapping Circumvents Multi-Factor Authentication Multi-factor authentication (MFA) is a good cyber hygiene practice. But not all MFA methods are built the same. Here, we look at how SIM swapping reveals potential flaws in MFA that uses SMS messages. MFA is a familiar methodology for keeping cybercriminals out and keeping your data safe. It requires users to take two or more verification steps to access applications and online platforms. Most of us have encountered some form of MFA when attempting to access our bank accounts and, increasingly, social media accounts. A common MFA method involves sending a code over SMS to a pre-registered cell phone number for verification when logging into a website. Other MFA methods include time-based authentication apps and physical security keys. However, MFA that uses SMS messages has some limitations that should be considered. Nefarious practices such as SIM swapping (also known as SIM Jacking or SIM Splitting) can bypass the MFA process and give bad actors access to your sensitive information. How Does SIM Swapping Work? Like many aspects of hacking, SIM swapping scams begin with extensive research on a target. Bad actors spend time learning about you through a variety of methods, including online research, phishing, social engineering, and using stolen data from the dark web. Hackers search for personal information required to answer security questions (for example, your mother's maiden name or the name of the high school you attended) and create a dossier on you as a potential target. Once criminals have enough information, a common method of SIM swapping involves the scammer contacting your mobile carrier. These hackers impersonate you and attempt to persuade your mobile provider to transfer your number to one of their own SIM cards. In other cases, criminals use compromised employees from the telecommunications company to willingly assist in the transfer of your number to one of their SIM cards. Once cybercriminals have your cell phone number on their SIM card, they can receive the SMS codes used for MFA. After that, they can gain access to your accounts by sending authentication codes over SMS to your phone number, which they now have the ability to control. No Such Thing as a Cybersecurity Panacea While no cybersecurity measure is foolproof, understanding and mitigating these risks can enhance your security. Consider using more robust methods, including physical security keys, in your MFA process.
To view or add a comment, sign in
-
Founder | Digital Designer | Strategist | Chef | Active Lifestyle | GM@DRI | My Purpose is to inspire and unlock your potential while leaving things better than I found them.
Cybersecurity-Mastery: Robust Cyber Defense Building a robust defense against data breaches and identity theft is imperative in our digitally interconnected world. As personal information increasingly resides online, it becomes a lucrative target for cybercriminals. Protecting this data safeguards not just your privacy, but also prevents financial loss and reputational damage. A strong defense strategy includes secure passwords, vigilant monitoring of accounts, and cautious sharing of personal information. It also means being aware of potential threats, from phishing scams to insecure networks. Proactive measures in both digital and physical realms are necessary to thwart identity theft and maintain the integrity of your personal and financial well-being. This vigilance is not just for individual safety but also contributes to broader cybersecurity efforts, as each secure link strengthens the overall chain of data protection. Nine Keys to enhance your data security: 1. Use a VPN (Virtual Private Network): A VPN encrypts your internet connection, hiding your IP address and protecting your online activities from being tracked or intercepted. 2. Strong, Unique Passwords: Create complex passwords for each account and use a password manager to keep track of them. 3. Two-Factor Authentication (2FA): Enable 2FA on all accounts that offer it for an additional layer of security beyond just a password. 4. Regular Software Updates: Keep your operating systems and applications updated. Updates often include security patches for vulnerabilities. 5. Be Wary of Phishing Attempts: Learn to recognize phishing emails, texts, and calls that try to trick you into giving away personal information. 6. Secure Wi-Fi Connections: Use secure, password-protected Wi-Fi networks. Avoid conducting sensitive transactions over public Wi-Fi networks. 7. Limit Personal Information Sharing Online: Be cautious about the amount of personal information you share on social media and other online platforms. 8. Use Antivirus Software: Install reputable antivirus software to protect your devices from malware. 9. Data Backups: Regularly back up important data to an external drive or cloud service to protect it from loss or vicious cyber attacks.
To view or add a comment, sign in
-