Twilio data leak exposes over 30 million phone numbers linked to Authy


  • Authy is a 2FA app that recently suffered a data breach that exposed more than 33 million phone numbers.
  • Threat actors were able to collect linked numbers through an unsecured API endpoint.
  • If you believe your personal information might be among the 33 million leaked numbers, you should secure your accounts with 2FA and beware of SMS phishing attacks.

Authy is an app that offers two-factor authentication so users can keep their online accounts secure. Similar to one-time passwords, Authy generates 2FA codes that are updated every 20 seconds and stored in the cloud, so users can't lose access to their codes if they lose their phone.

The app is free and works across platforms, including Android, iOS, macOS, Windows, and Linux. The only blemish on its reputation is a 2022 security breach that affected parent company Twilio, which leaked information about 75 million users, although only 93 Authy users were affected. Now, a new breach affecting the 2FA app has reportedly given threat actors access to 33 million phone numbers registered on the app.


Authy has been hacked. Here's how you can protect yourself

One of the most trusted 2FA apps has fallen victim to an attack that has affected some unfortunate individuals

Twilio released an update to its Android and iOS app on July 1, along with a press release stating that it had “discovered that due to an unauthenticated endpoint, threat actors were able to identify data associated with Authy accounts, including phone numbers.” The app updates served as a precautionary measure for users, allowing them to access the app's latest security updates.

The culprit here was an unsecured API endpoint that allowed threat actors to verify and collect numbers associated with Authy. Threat actors were reportedly able to feed a large list of phone numbers to the unsecured API, and the endpoint returned only the numbers associated with Authy, among other account information.

A screenshot from ShinyHunters, someone allegedly connected to the data leak who sells the leaked information online.

Source: Bleeping Computers

According to a report from Bleeping Computer, a threat actor named ShinyHunters was linked to the breach because he leaked a file containing over 33 million phone numbers associated with Authy, as shown in the screenshot above.

The leaked data also included account IDs, as well as details about the status of the account and other linked devices. It's worth noting that no passwords were leaked, but the leaked phone numbers and linked device information are enough for other threat actors to target Authy customers with sophisticated SMS phishing attacks.

Here's what you can do as an existing Authy user


How to protect yourself from a SIM swap attack

The risks are never zero, but you can minimize them

With access to your phone number, potential threat actors can either target you with SMS phishing attacks or attempt SIM swapping. The latter is essentially an illegal method where a threat actor convinces your carrier to transfer your phone number to another SIM card while posing as you. To convince the carrier, the threat actor could share your personal information, which they can find on social media or buy on the black market via leaks like the one from Authy.

To prevent yourself from becoming a victim of SIM swap, you can lock your SIM card with a passcode that you must enter every time you restart your device, or block your phone number directly through your service provider.

If you believe your personal information may be among the 33 million leaked numbers, be alert to suspicious SMS messages and make sure all your social media, banking, or other sensitive apps are 2FA secured and not authenticated via text message. You should also update the Authy app. Updating the app wouldn't make much of a difference now, but it will protect you if a threat actor tries to breach the unsecured API endpoint again.


The 5 best 2FA apps for Android

We help you secure your online life