Cybercriminals have successfully acquired more than 33 million phone numbers from users of the two-factor authentication service Authy.
Authy is a popular security application that aids in handling authentication codes for different applications and online platforms, enhancing login security by requiring codes for a second layer of verification.
Twilio, the parent company of Authy, has confirmed the occurrence of the data breach to Bleeping Computer and has taken measures to secure the impacted endpoint. Moreover, updates have been rolled out for Android and iOS devices as a precaution.
Steps for Impacted Users
Users of Authy are unable to confirm if their phone numbers were included in the breach. While the phone numbers alone do not pose a direct threat, potential attacks could involve:
- SMS attacks: Attempting to trick users into divulging authentication codes or installing malicious software.
- SIM Swapping attacks: Usually requiring more personal information and involving the victim’s mobile service provider.
Attackers might attempt to connect phone numbers to their owners through online searches or other databases. Currently, the data in Authy remains secure despite the breach. It is worth noting that Twilio had previously experienced a data breach in 2022.
If this situation reminds you of LastPass, a password management tool with a history of security breaches, you are not mistaken. Concerns about trustworthiness and potential transition to a more secure service arise for Authy users.
Switching from Authy to an Alternative Service
Moving away from Authy is not a simple process as it does not support exporting data. There is a workaround involving an older version of the desktop app, but this option may soon become unavailable due to Authy discontinuing the desktop program. Manual migration involves the following steps:
- Sign in to the services where Authy creates codes.
- Disable 2FA in the settings.
- Re-enable 2FA using a new authenticator application.
Repeat these steps for each service and remove them from Authy once the migration is complete by long-pressing on the item and selecting the remove option. For notable alternatives, consider exploring Aegis or Bitwarden Authenticator.
Image Source: Song_about_summer / Shutterstock