Twilio has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication users, potentially making them vulnerable to SMS phishing and SIM swapping attacks.
Authy is a mobile app that generates multi-factor authentication codes at websites where you have MFA enabled.
In late June, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.
The CSV file contains 33,420,546 rows, each containing an account ID, phone number, an "over_the_top" column, account status, and device count.
Twilio has now confirmed to BleepingComputer that the threat actors compiled the list of phone numbers using an unauthenticated API endpoint.
"Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests," Twilio told BleepingComputer.
"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks."
