Twilio confirms data breach exposing 33M phone numbers of Authy service
Take action: Always check for unauthenticated and exposed endpoints. Because scraping of data works just as well as hacking.
Learn More
Twilio confirmed a data breach exposing 33 million phone numbers associated with its Authy two-factor authentication (2FA) application.
The incident was confirmed after the hacking group ShinyHunters claimed to have obtained the phone numbers along with account IDs and other non-personal data from Authy users on the BreachForums website in late June 2024.
Twilio states that the breach was due to an unauthenticated endpoint that allowed the attackers to identify data associated with Authy accounts. The company has since secured this endpoint to prevent further unauthorized access.
While there is no evidence that the hackers accessed Twilio’s broader systems or other sensitive data, the company is urging users to install the latest Android and iOS updates and to be vigilant against phishing and smishing attacks, which may target the exposed phone numbers.
Exposed data types:
- Phone numbers
- Account IDs
- Some non-personal data
Although no other sensitive data was compromised, the exposure of phone numbers could still pose a risk if attackers use the information to impersonate Twilio or Authy in phishing campaigns.
