Massive Data Breach Hits Authy: Over 33 Million Users Affected

In a recent alarming revelation, a hacker released a CSV file on a dark web forum containing sensitive information of 33,420,546 users. The leaked data includes account IDs, phone numbers, account statuses, and device counts, all traced back to the well-known multifactor authentication app, Authy.

Authy, renowned for its convenience and security, offers a significant feature that its competitor, Google Authenticator, lacks: data synchronization across devices. This feature ensures that users can access their verification codes on multiple devices without the fear of losing access due to a misplaced device. Over the years, Authy has amassed a vast user base, including long-term users like the tech website Blue Point, which relied on Authy for over five years before switching to a password manager.

The breach was confirmed by Twilio, the developer behind Authy, stating that the data exposure resulted from an API that was not secured with strict authentication measures. This lapse allowed hackers to exploit the API by submitting batches of phone numbers to identify active accounts, a tactic reminiscent of a similar breach experienced by Sina Weibo.

While passwords and account logins remain secure, the exposure of phone numbers poses a significant risk. Hackers could launch targeted phishing attacks or engage in SIM swapping, a complex but highly damaging form of attack that can lead to immense losses for the victims.

Unfortunately, once such data is exposed, remedial options are limited. Users are advised to switch to alternative authentication apps and disable phone number-based login features on Authy to mitigate the risk of SIM swapping attacks.