Hackers gained access to the Authy Android app database and “were able to identify data associated with [accounts], including phone numbers,” according to a July 1 security alert post issued by the app’s developer, Twilio.
The accounts themselves “are not compromised,” the post stated, implying that the attackers were not able to gain authentication credentials. However, the exposed phone numbers may be used for “phishing and smishing attacks” in the future. Because of this risk, Twilio encouraged Authy users to “stay diligent and have heightened awareness around the texts they are receiving.”
Related: What is a phishing attack in crypto, and how to prevent it?
Centralized exchange users often rely on Authy for two-factor authentication (2FA). It generates a code on the user’s device, which the exchange may ask for before it performs withdrawals, transfers, or other sensitive tasks. Exchanges Gemini and Crypto.com both use Authy as their default 2FA app, and Coinbase, Binance, and many other exchanges allow it as an option.
Authy is sometimes compared to Google’s Authenticator app, which has a similar purpose and is a competitor to Authy.
The attacker gained access through an “unauthenticated endpoint,” according to the post. The team has secured this endpoint, and the app no longer accepts unauthenticated requests going forward. It encouraged users to upgrade to the latest version of the app, which contains security improvements.
Twilio claimed that users’ authenticator codes have not been compromised, so the attackers should not be able to access their exchange accounts. “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data,” the company stated.
According to a report from Seeking Alpha, the hack was performed by the ShinyHunters cybercriminal group, which “leaked a text file that purportedly shows the 33M phone numbers registered with Authy.” In 2021, cybersecurity blog Restoreprivacy reported that this same criminal group was responsible for the AT&T data breach, which resulted in the data of 51 million customers being released online.
Authenticator apps were developed to prevent SIM swap attacks, a type of social engineering scheme that involves convincing a phone company to transfer a user’s phone number to the attacker. Once the attacker gains control of the user’s phone account, they use it to receive the user’s 2FA codes without needing to physically possess the user’s phone.
This type of attack is still prevalent today, as some users still receive 2FA codes through text messaging instead of through an app. On June 12, blockchain security firm SlowMist reported that millions of dollars were recently lost by OKX users due to SIM swap attacks.