33 MILLION NUMBERS STOLEN
Two weeks ago, Twilio, the American communication tools company, confirmed that a hacker stole millions of phone numbers from users of its popular two-factor authentication app, Authy. The company warned that these stolen numbers could be used by threat actors for phishing and smishing attacks targeting the associated Authy accounts. A hacker group known as ShinyHunters claimed on a popular hacking forum that it had compromised Twilio and obtained 33 million phone numbers registered with the Authy service. The Authy app generates secure two-step verification tokens on users' devices. The service is meant to protect accounts from hackers and hijackers by adding an extra layer of security.
HOW DID IT HAPPEN?
Twilio reported that threat actors exploited an unauthenticated API endpoint to access data associated with Authy accounts, including phone numbers. The hacker group ShinyHunters posted a CSV text file containing these numbers on the dark web. The file includes 33,420,546 rows, each with an account ID, phone number, an "over-the-top" column, account status, and device count. Twilio has since secured this endpoint, no longer allowing unauthenticated requests. Part of a statement from a company spokesperson read:
"We have taken action to secure this endpoint and no longer allow unauthenticated requests. We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks."
UPDATE YOUR APPS
BleepingComputer, the online information security and technology news publication created in 2004 by Lawrence Abrams, reported that threat actors collected Authy user data by entering a large list of phone numbers into the unsecured API endpoint. The endpoint would return information about the associated Authy accounts for valid numbers. Twilio stated that it has found no evidence of hackers accessing its systems or other sensitive data beyond the phone numbers. However, as a precaution, it recommends that Authy users update their Android and iOS apps to the latest security versions. Subsequently, Twilio company has sincerely apologised for the incident.
NOT THE FIRST TIME
This isn't the first major hacking incident Twilio has faced. In June 2022 and August 2022, the company experienced data breaches after a phishing campaign by a group of hackers led to the theft of 10,000 employee credentials from at least 130 companies. During this campaign, Twilio was successfully targeted, allowing attackers to access data from 163 Twilio accounts and 93 Authy accounts. Following this sophisticated social engineering attack, the communications company stated these next steps:
“We have reemphasized our security training to ensure employees are on high alert for social engineering attacks and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses. As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.”
USE WITH CAUTION
Mark Child, a co-founder and Director of Cyber London, provided invaluable words of wisdom on the precautions we need to take when using 2FA or MFA. Here’s what he said:
“Two-factor authentication (2FA) is a powerful security measure, but it's essential to use it cautiously.”
Phishing Risks
· SMS or Email 2FA - These methods send a code via text message or email, which can be vulnerable to phishing attacks.
· Authenticator Apps - While these apps generate time-based one-time passwords (TOTPs), they can still be compromised if an attacker tricks you into revealing your seed (initial setup code).
Backup Codes and Devices
· Authenticator Apps - These apps are effective as they constantly generate changing codes. However, if you lose your device, you'll need backup codes or another device with the app installed.
· Security Questions - Although easy to set up, security questions can be guessed or found online. Enhance their security by entering gibberish answers and storing them securely.
Choosing the Right Method
· Authenticator Apps - For a balance of security and convenience, authenticator apps are recommended. They are harder to phish than SMS or email codes.
· U2F Keys - For maximum security and privacy, consider using U2F keys (hardware tokens).
“Always stay vigilant and choose the 2FA method that best suits your needs and risk tolerance.”
You can reach out to Cyber London here and also become a member of this fast-growing non-profit.
Comments