Breach Exposes Millions Of Mobile Numbers To Phishing Attacks

Uploaded on 2024-07-09 in FREE TO VIEW

Cloud communications provider Twilio has published a statement that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' mobile phone numbers.

Authy is a mobile app that generates multi-factor authentication codes at websites where you have MFA enabled.

While the accounts themselves were not compromised, the exposure of phone numbers poses a significant risk of phishing and smishing attacks. And now the company has said that it has taken steps to secure the endpoint and so will no longer accept unauthenticated requests.

The development comes days after an infamous threat actor known as ShinyHunters published a database comprising 33 million phone numbers allegedly pulled from Authy accounts on the Dark Web.

Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert. But out of an abundance of caution, it's recommending that users upgrade their Android, version 25.1.0 or later, and iOS, version 26.1.0 or later, apps to the latest version. It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks. "We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.

Limiting the damage caused by a data breach or leak is your first line of defence against scammers and fraudulent activity on your accounts. Here’s what you need to do:

  • Contact your mobile service provider to let them know your number has been compromised and that someone has been illegally accessing your accounts.
  • Switch the two-factor authentication on accounts using the compromised phone number. You can use either a safe phone number or an authenticator app.
  • When you make these adjustments, change your security questions as well.
  • Notify your friends, family and co-workers of any compromise so they don’t fall for any scams perpetrated in your name. 
  • Check your accounts for suspicious activity and watch out for social engineering attacks such as phishing via text messages or unsolicited phone calls.

Always report an  incident to your local police if you have fallen victim to fraud or identity theft.

Twilio     |    Coin Journal     |   Bleeping Computer   |   Hacker News     |     Bit Defender  |   The Hacker News       

Image: Unsplash

You Might Also Read:

Deepfakes Deployed In Mobile Banking Malware Attacks:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Half Of Employees Don’t Report Security Mistakes
Navigating The Complexities Of Data Backups In A Hybrid World »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Q-CERT

Q-CERT

Q-CERT is the National Computer Security Emergency Team of Qatar.

Softtek

Softtek

Softtek helps its clients to gain a competitive edge by implementing digital solutions that propel their business strategies.

MixMode

MixMode

MixMode's PacketSled platform delivers network monitoring, deep forensic analysis and incident response.

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

Austrian Trust Circle

Austrian Trust Circle

Austrian Trust Circle is an initiative of CERT.at and the Austrian Federal Chancellery and consists of Security Information Exchanges in the areas of the strategic information infrastructure.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

Interos

Interos

Interos is the operational resilience company — reinventing how companies manage their supply chains and business relationships — through a breakthrough AI SaaS platform.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Hexagon

Hexagon

Hexagon is a global leader in digital reality solutions. We are putting data to work to boost efficiency, productivity, quality and safety.

SydeLabs

SydeLabs

At SydeLabs, our mission is to ensure the comprehensive security of your AI systems.

Forensic IT

Forensic IT

Forensic IT is a specialised cyber security firm with expertise in Digital Forensics and Incident Response (DFIR).

itm8

itm8

itm8 is a Nordic digital transformation partner offering a wide range of services in IT operations and Cloud Services, Digital Transformation, Application Services, ERP, and Cyber Security.