Oops! Unauthenticated Endpoint Exposes Authy Users’ Phone Numbers
Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio. In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users. Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint.
An unauthenticated endpoint, particularly in the context of web services and APIs, is an access point that doesn’t require the user or client to verify their identity before accessing it. This means anyone can interact with this endpoint without providing credentials like a username, password, or API key. What the fuck!
I’ve been using Authy for years. But not after this Oopsie. I use Bitwarden for passwords and now use Bitwarden Authenticator app for 2fa codes.
Originally published at https://lorenblog.me on July 3, 2024.