CISA warns of actively exploited Twilio Authy vulnerability
Take action: If you are still using old Twillio applications on Android and iOS, update ASAP. Also, check your Authy integrations for possible vulnerable endpoint.
Learn More
CISA is reporting an actively attacked flaw in Twilio Authy. The vulnerability is tracked as CVE-2024-39891 (CVSS score 5.3), is an information disclosure issue found in the Twilio Authy API used by Authy Android versions prior to 25.1.0 and Authy iOS versions prior to 26.1.0. The vulnerability exists in an unauthenticated endpoint that leaks phone number data.
According to a NIST advisory, the endpoint accepted requests containing phone numbers and responded with information indicating whether each phone number was registered with Authy. Although Authy accounts themselves were not compromised, this issue exposed data associated with Authy accounts.
The vulnerability became widely known after the ShinyHunters hacker group leaked 33 million phone numbers associated with Authy in late June. In response, CISA added CVE-2024-39891 to the KEV catalog and advised federal agencies to identify and address any vulnerable instances by August 13, in accordance with Binding Operational Directive (BOD) 22-01.
Twilio identified this vulnerability on July 1 and urged users to update to the latest versions of Authy (Android version 25.1.0 and iOS version 26.1.0). The company has since secured the endpoint to prevent unauthenticated requests. Twilio claims that no internal systems or other sensitive data were accessed during these attacks. However, they warned that the exposed phone numbers could be used for phishing and smishing attacks.
