A group of malicious actors have managed to obtain more than 33 million phone numbers from users of the two-step verification platform Authy.
Authy is a widely-used security tool that assists in managing verification codes for various applications and online services, boosting login security by mandating codes for an additional layer of authentication.
The data breach incident has been acknowledged by Twilio, the parent organization of Authy, to Bleeping Computer. Steps have been taken to secure the affected area, and updates have been released for Android and iOS devices as a precautionary measure.
Guidelines for Affected Users
Users of Authy are uncertain about whether their phone numbers were compromised in the breach. While the phone numbers alone may not pose an immediate threat, potential risks could involve:
- Phishing via SMS: False attempts to coax users into revealing verification codes or downloading harmful software.
- SIM Exchange attacks: Generally necessitating more personal details and implicating the victim’s mobile service provider.
Attackers may try to link phone numbers to their respective owners through online searches or alternate databases. Presently, the information in Authy remains safeguarded despite the data breach. It is noteworthy that Twilio had faced a data breach previously in 2022.
If this incident brings to mind LastPass, a password management solution with a history of security breaches, your observations are valid. Concerns regarding reliability and a potential shift to a more secure platform emerge among Authy users.
Transitioning from Authy to an Alternate Option
Shifting away from Authy is a complex procedure as the platform does not facilitate data export. There exists a workaround tied to an older version of the desktop application, but this option could soon become obsolete following Authy’s discontinuation of the desktop program. Manual transfer comprises the subsequent steps:
- Log in to the platforms where Authy generates codes.
- Deactivate 2FA in the settings.
- Subsequently, re-enable 2FA employing a new authenticator tool.
Repeat these actions for each platform and eliminate them from Authy post-migration by prolonged-pressing on the item and choosing the delete option. Noteworthy alternatives include exploring Aegis or Bitwarden Authenticator.
Image Credit: Song_about_summer / Shutterstock