Twilio’s investigation into the attack on August 4 reveals that hackers gained access to some Authy user accounts and registered unauthorized devices.
Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts where the feature is supported by identifying a second time via a dedicated app after typing in the login credentials.
When logging into an account with 2FA enabled, Authy will provide an additional one-time passcode required to login. This protects the account from being accessed even if the login credentials are compromised.
Because of this, it is vital to secure your Authy account, as if hackers gain access to it, they can logon to your compromised account.
The service is highly popular, rivaling Google’s Authenticator, and provides support for multiple devices, synchronizing the generated 2FA tokens across registered devices.
Compromised Authy accounts alerted
On Thursday, Twilio announced that the threat actor that gained access to its infrastructure on August 4 has also accessed accounts of 93 Authy users and linked devices to those accounts.
Twilio underlines that the compromised Authy accounts belong to individual users and represent a small fraction of the total number of 75 million users.
However, for those 93 users, the hackers would have been able to access the 2FA codes generated for the Authy users’ accounts.
It is unclear if the 93 Authy users were specifically targeted by the hackers.
The company says that it has removed the unauthorized devices from the compromised accounts and has contacted the affected users to provide instructions on how to protect their accounts:
Review any linked account(s) for suspicious activity and work with their account provider(s) if they have any concerns.
Review all devices tied to their Authy account and remove any additional devices they don’t recognize.
To prevent the addition of unauthorized devices, we recommend that users add a backup device and disable “Allow Multi-device” in the Authy application. Users can re-enable “Allow Multi-device” to add new devices at any time. Specific steps can be found here.
The cloud communications company also says that its investigation identified 163 Twilio users whose data was accessed by the intruders for a limited period. They also received notifications about the unauthorized access.
The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.
In previous updates on the incident, Twilio said that the breach impacted 125 customers, as hackers were able to access their authentication information.