Cloud communications provider Twilio Inc. is asking Authy users to update their apps today after threat actors were able to identify data associated with Authy accounts through an unauthenticated endpoint.

The request comes a week after well-known threat actor ShinyHunters claimed to have compromised Authy and posted a CSV file on BreachForums that allegedly contained 33 million phone numbers registered with the Authy service. Authy, owned by Twilio since 2015, is a two-factor authentication app that provides secure access to online accounts through multi-device support and encrypted backups.

In a July 1 security alert, Twilio said it had taken action to secure the exposed endpoint and stop unauthenticated requests. The company also claims that it has seen “no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data.” As a precaution, all Authy users are being asked to update to the latest version of the app for the latest security update.

Though the Authy accounts were not compromised, Twilio is warning that threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks. Users are encouraged to be diligent and to have heightened awareness of the validity of any texts they receive.

“As the standard script for breaches in the API era, Twilio is next on stage,” Jason Kent, hacker in residence at API security and bot management company Cequence Security Inc., told SiliconANGLE. “We have shown over and over that an API endpoint that accepts data and gives responses on that data needs to be covered with both Authentication and Authorization or someone will abuse the endpoint.”

“If you are an Authy user, you are advised to understand that the MFA service for your account may be compromised,” Kent added. “Any service using Authy as its MFA should take additional actions to ensure a SIM swap wasn’t recent on the account and ensure the end-user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t.”

This is not the first time Twilio has been successfully targeted by hackers. In August 2022, Twilio revealed that it had been targeted by a cyberattack that led to the theft of employee credentials, which in turn gave the hackers access to a “limited number” of customer accounts. Unfortunately, the access the hackers managed to gain in that attack was subsequently used to intercept onetime passwords issued by Okta Inc.

Image: Authy