Hackers have exploited an unsecured API endpoint in Twilio to verify millions of Authy users’ phone numbers, leaving them vulnerable to SMS phishing and SIM swapping attacks.
It appears that in late June 2024, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.
Authy is an app that deals with multi-factor authentication. It generates codes that are sent to phones, which then allow users to access a particular website. Looking into the issue for Digital Journal is Jason Kent, Hacker in Residence at Cequence.
Kent begins by detailing what has happened: “As the standard script for breaches in the API era, Twilio is next on stage. We have shown over and over that an API Endpoint that accepts data and gives responses on that data, needs to be covered with both Authentication and Authorization or someone will abuse the endpoint.”
In terms of the specific case there are technological challenges and unusual patterns, as Kent recounts: “This example is an interesting one because its starts where you might not expect. As you attach a device to the Authy service they rely heavily on that devices phone number. Their systems are very interested in this number and obviously there are many endpoints that accept the number, and my guess is, if the number doesn’t exist there is an error.”
Kent says tellingly: “If the number does exist there is either a lack of error or some other way of knowing.”
In terms of the implications, Kent goes on to explain: “So, if I want to take over someone’s account that is using Authy’s MFA, I need to know what number they used to sign that account up with and perform a SIM swap to get the MFA code sent to the new phone. This is a reverse attack where the MFA service provider was able to validate the numbers first, now the SIM swapping attacks can commence.”
This creates a precarious situation: “Twilio has since put authentication on the endpoint in question, but it is still unknown if anyone has bought the 33 million records lost in the data dump.”
In terms of advice, Kent puts forward: “If you are an Authy user, you are advised to understand that that MFA service, for your account, may be compromised and any service using Authy as its MFA should take additional actions to ensure a SIM swap wasn’t recent on the account and ensure the end user has additional authentication parameters in place to validate if the user is intentionally attempting something they shouldn’t.”