Twilio has disclosed that an unsecured API endpoint enabled threat actors to verify the phone numbers of millions of Authy multi-factor authentication (MFA) users, raising the risk of SMS phishing and SIM swapping attacks. Authy, an app generating MFA codes for websites, is now urging users to update their apps for enhanced security.

In late June, the hacker group ShinyHunters leaked a CSV file claiming to contain 33 million phone numbers registered with Authy. The file comprises 33,420,546 rows, each with an account ID, phone number, an “over_the_top” column, account status, and device count. Twilio, the company behind Authy, confirmed that this data was obtained via an unauthenticated API endpoint.

“Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have secured this endpoint and no longer allow unauthenticated requests,” Twilio stated. “We have seen no evidence that the threat actors accessed Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay vigilant against phishing and smishing attacks.”

This incident underscores the dangers of unsecured APIs. BleepingComputer reports that the leaked data was gathered by submitting a vast number of phone numbers to the unsecured API endpoint, which then returned details about valid Authy accounts. This approach is similar to how hackers previously exploited unsecured Twitter and Facebook APIs to collect profiles with both public and private information.

Although the Authy leak only included phone numbers, this data is valuable for conducting smishing and SIM swapping attacks. ShinyHunters indicated that threat actors could use these phone numbers to find matches in other breaches, such as those of Gemini and Nexo, potentially facilitating SIM swapping attacks on cryptocurrency accounts.

Twilio has released new security updates and advises users to upgrade to Authy Android (v25.1.0) and iOS App (v26.1.0), which include important security enhancements. While the specifics of how this update protects users from the leaked data remain unclear, keeping software up-to-date is crucial for defense against threats.

Cybersecurity professionals, IT administrators, and tech-savvy individuals using MFA tools should heed this breach and take necessary steps to secure their accounts. General users of Authy and similar MFA apps should be aware of the potential risks and follow recommended security practices to protect their information.