Cloud communications provider Twilio has disclosed a security breach involving its two-factor authentication service, Authy. Unidentified threat actors exploited an unauthenticated endpoint within Authy to gain access to sensitive data associated with user accounts, including cell phone numbers.
“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests,” the company said in a data breach disclose.
The provider added that it has no evidence that the intruders obtained access to Twilio’s systems or other sensitive data. However, the company recommends that all Authy users update to the latest Android and iOS apps for the latest security updates.
“While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,” the company explained.
The disclosure of the security breach comes just days after an online persona known as ShinyHunters published a database on the BreachForums hacker forum allegedly containing 33 million phone numbers extracted from Authy accounts.