CyberSecurityBoard
Sponsor Register Login

Hackers steal millions of Authy 2FA phone numbers

Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy.
ADVERTISEMENT. Authy is a popular security application to manage authentication codes for apps and online services.
These add to the security of sign-ins, as the codes need to be entered in a second stage of authentication.
Twilio, Authy's parent company, confirmed the authenticity of the data and the hack to Bleeping Computer.
The company revealed that it has secured the endpoint used in the attack.
It furthermore released an update for Android and iOS as a precaution.
Authy customers cannot look up if their phone number is included in the leak.
There is no direct threat, as threat actors cannot do anything with the phone number alone.
The attackers could use online searches or other databases to link phone numbers to their owners.
Back in 2022, Twilio confirmed that it suffered a data breach.
If this reminds you of LastPass, a password management service that suffered through a series of hacks and issues in the last couple of years, you are not totally mistaken.
Migration is not straightforward, as Authy does not support exporting.
A workaround exists that uses an older version of the desktop app, but it may not work soon anymore as Authy is discontinuing the desktop program.
The only other option is to manually migrate the data.
Repeat the steps for any service and delete each of them once the migration completes.
This is done by long-tapping on the item in Authy and selecting the remove option.
As far as alternatives are concerned, check out my reviews of the open source authenticator Aegis or Bitwarden Authenticator.
Should you trust a service that suffered through several breaches in the past, or should you move to a service that has not.
LastPass customers have faced the same question several times in the past, and it is the same question that Authy customers should ask themselves.
It is inconvenient, thanks to the lack of proper export options.


This Cyber News was published on www.ghacks.net. Publication date: Thu, 04 Jul 2024 05:43:06 +0000


Cyber News related to Hackers steal millions of Authy 2FA phone numbers

Hackers steal millions of Authy 2FA phone numbers - Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy. ADVERTISEMENT. Authy is a popular security application to manage authentication codes for apps and online ...
4 months ago Ghacks.net
Twilio will ditch its Authy desktop 2FA app in August, goes mobile only - The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication app. Authy is an authenticator app that allows users to set up ...
10 months ago Bleepingcomputer.com
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
8 months ago Techrepublic.com
GitHub warns users to enable 2FA before upcoming deadline - GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts. In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code ...
10 months ago Bleepingcomputer.com
CVE-2024-39891 - In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a ...
4 months ago
Mandiant says X account brute forced without 2FA protection The Register - Well, Mandiant's carefully worded response basically said it wasn't implemented. It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some ...
10 months ago Go.theregister.com
Meta brushes off risk of account theft via number recycling The Register - The core problem is that telecom companies recycle phone numbers that have been abandoned after a brief waiting period - at least 45 days in the US. That can become a problem because many online services require a phone number to identify users ...
9 months ago Theregister.com
New phishing attack steals your Instagram backup codes to bypass 2FA - A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. Two-factor authentication is a ...
11 months ago Bleepingcomputer.com
Cybercriminals Could Perform SIM Card Swapping Scams - Google Fi customers were recently informed that their personal data had been exposed due to a data breach at one of its primary network providers. Google Fi, formerly known as Project Fi, is a telecommunications service that provides telephone calls, ...
1 year ago Cybersecuritynews.com
Blue Shield of California members' Social Security numbers, other data stolen - Sensitive data from Blue Shield of California vision policy holders - including Social Security numbers, birth dates and addresses - may be among confidential patient information accessed by criminal hackers, the Oakland-based health insurance giant ...
11 months ago Siliconvalley.com
Payoneer accounts in Argentina hacked in 2FA bypass attacks - Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Payoneer is a financial services platform providing online money ...
10 months ago Bleepingcomputer.com
FCC adopts new rules to protect consumers from SIM-swapping attacks - The Federal Communications Commission has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud. FCC's Privacy and Data Protection Task Force introduced the new regulations in ...
11 months ago Bleepingcomputer.com
2FA-less GitLab users vulnerable to account takeovers The Register - GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May ...
10 months ago Go.theregister.com
Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private - The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number's visibility but its discoverability. That extra safeguard might be important if you don't want ...
9 months ago Wired.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
1 year ago Therecord.media
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
CVE-2019-6332 - A potential security vulnerability has been identified with certain HP InkJet printers. The vulnerability could be exploited to allow cross-site scripting (XSS). Affected products and versions include: HP DeskJet 2600 All-in-One Printer series model ...
4 years ago
Google Fi Data Breach Reportedly Led to SIM Swapping - The Google Fi telecommunications service has informed customers about a data breach that appears to be related to the recently disclosed T-Mobile cyberattack. Google Fi, which provides wireless phone and internet services, has told customers that the ...
1 year ago Securityweek.com
Facebook and Instagram passwords were stored in plaintext, Meta fined | Malwarebytes - In 2019, a private security researcher reported finding a database with the names, phone numbers, and unique user IDs of over 267 million Facebook users. Ireland’s privacy watchdog Data Protection Commission (DPC) has fined Meta €91M ($101M) ...
1 month ago Malwarebytes.com
GitHub Wants All Users to Enable 2FA Before the End of 2023 - GitHub, the omnipresent nexus for developers and their code, has embarked on a decisive initiative aimed at fortifying the security of the software supply chain. In a groundbreaking announcement, the platform has set forth a mandate for two-factor ...
10 months ago Cybersecuritynews.com
Seattle cancer center confirms cyberattack after ransomware gang threats - A prominent cancer center based in Seattle is dealing with a cyberattack claimed by a notorious cybercrime gang that currently appears to be extorting the healthcare facility. On Friday morning, the Hunters International ransomware group listed the ...
11 months ago Therecord.media
Cyberattack knocks out Pensacola city government phone lines - The city government of Pensacola, Florida, is dealing with widespread phone outages due to a cyberattack announced over the weekend. City spokesperson Jason Wheeler told Recorded Future News that officials are experiencing phone issues across city ...
8 months ago Therecord.media
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
11 months ago Bleepingcomputer.com
Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection - Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change ...
9 months ago Wired.com
Google Fi User Data Breached Through T-Mobile Hack - According to Google Fi's email sent to its customers on Monday, a limited amount of their customer data was exposed in T-Mobile's breach after suspicious activity was noted in a system that contained Google Fi's customer data. Google Fi, Google's ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)