Android and iOS users of Twilio's Authy are now being warned by the company that hackers have successfully breached their systems, stealing millions of phone numbers.
Authy is reportedly a software for iOS and Android that makes it easy for consumers to request two-factor authentication (2FA) when logging into an app.
According to recent reports, Twilio found that malicious actors managed to locate data associated with Authy accounts, notably phone numbers, thanks to an unauthenticated API.
Twilio asks that all Authy users update to the most recent iOS or Android variants of the app to receive the most recent security fixes. Twilio tells users that, while Authy accounts have not been hacked, threat actors may attempt to utilize the phone number linked with Authy accounts in phishing and smishing attacks.
Twilio blames the successful attack on using "unauthenticated endpoints" and states that it has taken steps to safeguard this endpoint and no longer accepts unauthenticated queries.
According to media reports, 33 million phone numbers have been taken. On a popular hacking site, hackers known as ShinyHunters claimed to be hacking Twilio and stealing 33 million mobile numbers.
While the theft of phone numbers should not alarm Authy customers, the attackers may use these numbers to contact or text the afflicted Authy subscribers.
The attackers might then appear to be from Authy and request further user information such as social security numbers, bank account numbers, and other sensitive personal information.
ShinyHunters' Capabilities
ShinyHunters' allegations come after its constant penetration of several systems, most recently the Ticketmaster hack in late May. The attack affected the personal data of 560 million members, which was at the time being sold for $500,000 on a hacker forum.
ShinyHunters allegedly acquired access to sensitive user data, such as full names, email addresses, telephone numbers, locations, purchase details, and partial credit card details.
Payment data disclosed includes the last four characters of credit card digits, expiration date, consumer names, and even details about customer fraud.
According to the famed hacker team ShinyHunters, Ticketmaster-Live Nation's security was breached, revealing the personal information of an astonishing 560 million subscribers. Breach Forums is now providing this massive 1.3 terabyte of data for a one-time price of $500,000.
Legitimate Websites Hackes
Cyber breaches continue to make the news, with even reputable websites being attacked due to corrupted codes. Legitimate websites were recently infiltrated as the new owners updated a formerly beneficial polyfill[.]com-hosted Javascript code, causing websites to link users to rogue websites unwittingly.
According to reports, the JavaScript code accessible via polyfill[.]com for several years was a reputable open-source effort that allowed older browsers to execute complex capabilities that were unsupported by default.
Websites may guarantee that information in newer formats will be displayed on devices running older browsers by inserting a link to cdn.polyfill[.]io. Because all websites had to do was embed the link, they appreciated the free service. The polyfill website's programming took care of the remaining.