According to Twilio’s investigation into the August 4 assault, hackers obtained access to select Authy user accounts and registered illegal devices.
Twilio’s Authy is a two-factor authentication (2FA) service that allows users to safeguard their online accounts that support the capability by identifying a second time via a dedicated app after filling in the login credentials.
When connecting to an account with 2FA enabled, Authy will prompt you for an additional one-time passcode. This prevents access to the account even if the login credentials are compromised.
As a result, it is critical to secure your Authy account, as hackers can log in to your compromised account if they acquire access to it. The service is quite popular, rivaling Google Authenticator, and supports many devices, synchronizing created 2FA tokens across registered devices.
Compromised Authy accounts have been notified.
Twilio revealed on Thursday that the threat actor who gained access to its infrastructure on August 4 also gained access to the accounts of 93 Authy users and associated devices to those accounts.
Twilio emphasizes that the compromised Authy accounts belong to individual individuals and constitute a small percentage of the total of 75 million users. However, the hackers would have had access to the 2FA codes produced for the Authy users’ accounts for those 93 people.
It is unclear whether the hackers particularly targeted the 93 Authy users. According to the firm, the illegal devices have been deleted from the compromised accounts, and the affected individuals have been contacted with recommendations on how to safeguard their accounts:
- Examine any associated account(s) for unusual behavior and, if necessary, work with their account provider(s).
- Examine all devices associated with their Authy account and delete those that they do not recognize.
- We propose that users install a backup device and disable “Allow Multi-device” in the Authy application to prevent the addition of unwanted devices. Users can re-enable “Allow Multi-device” at any time to add additional devices. Specific instructions can be found here.
According to the cloud communications firm, its investigation revealed 163 Twilio users whose data was accessed by the intruders for a limited time. They were also notified of the illicit access. The Twilio data breach appears to be part of a bigger hacking campaign that targeted at least 130 companies, including MailChimp, Klaviyo, and Cloudflare.
