Monday, April 28, 2025

Vogon Today

Selected News from the Galaxy

StartMag

When the app for double authentication is pierced by hackers. The Authy case

10 months babelfish

When the app for double authentication is pierced by hackers. The Authy case

After the hacker attack on Twilio in 2022, the company is once again the victim of cyber pirates: in addition to the reputational damage and insult (the company deals with security), having broken through Authy's defenses has allowed the bad guys to get their hands on 33 million phone numbers

The Authy app ended up at the center of a paradoxical and grotesque situation. If the numbers of millions and millions of users weren't at stake, the news would even get a laugh. The two-factor authentication app, designed to increase security when interacting with sensitive areas of some platforms, has in fact been hacked by hackers.

WHAT TWILIO SAID ABOUT THE HACKER ATTACK ON AUTHY

The words of the Twilio spokesperson were harsh: “the company has detected that hostile actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken steps to secure this endpoint and are no longer allowing unauthenticated requests.”

WHAT HAPPENS NOW?

First of all, Authy users were invited to immediately update the Android app to version 25.1.0 and iOS users to 26.1.0. Twilio, owner of Authy since 2015, as anticipated, explained very little about how the cyber breach occurred, limiting itself to saying that "the threat actors were able to identify the data associated with Authy accounts, including telephone numbers, due to an unauthenticated endpoint."

The company says steps have already been taken to secure the endpoint and “no longer allow unauthenticated requests.” But in the meantime it is necessary to understand the contours and scope of this hacker attack, the dimensions of which already seem considerable given that no less than 33 million telephone numbers of as many users all over the world have been illicitly passed through the hole opened by the cyber pirates.

TWILIO'S (NOT-REASSURING) REASSURANCES

For its part, the software house tries to reassure: “We have had no evidence that whoever acted obtained access to Twilio systems or other sensitive data. As a precaution, we are requiring all Authy users to update their Android and iOS apps to the latest version for the latest security updates and encourage all Authy users to remain vigilant and have increased awareness of phishing attacks and smishing,”

A NEW RISK FOR AUTHY USERS

The biggest fear is that since it is possible to identify Authy customers, it will now be easier for hackers to send them misleading messages, for example asking via SMS to share sensitive data precisely because of the attack.

HERE WE GO AGAIN?

It is not the first time that Twilio has been targeted and breached by cyber pirates: in 2022, through a social engineering campaign, hackers gained access to the telephone numbers of 1,900 customers of the Signal messaging app, which had relied on Twilio for the authentication service.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/quando-a-essere-bucata-dagli-hacker-e-lapp-per-la-doppia-autenticazione-il-caso-authy/ on Tue, 09 Jul 2024 05:11:32 +0000.