Authy 2FA app has leaked phone numbers that can be used for phishing
Hackers gained access to Authy's Android app database and “were able to identify the data associated with it.” [accounts]According to a July 1 security alert post by app developer Twilio, including phone numbers.
The accounts themselves were “not compromised,” he wrote, suggesting that the attackers were unable to obtain authentication credentials. However, the exposed phone numbers could be used for future “phishing and phishing attacks”. Because of this risk, Twilio encouraged OT users to “remain vigilant and be aware of the articles they receive.”
Related: What is a phishing attack in crypto and how to prevent it?
Centralized exchange users often rely on two-factor authentication (2FA) Authy. It generates a code on the user's device, which the exchange may request before performing withdrawals, transfers or other sensitive operations. Exchanges Gemini and Crypto.com both use Authy as their default 2FA app, and Coinbase, Binance, and many other exchanges allow it as an option.
Authy is sometimes compared to the similar-purpose and competing Google Authenticator app.
The attacker gained access through an “unauthenticated endpoint,” according to the article. The team has secured this endpoint, and the app will no longer accept unverified requests in the future. Users are encouraged to upgrade to a version of the app that contains security updates.
Twilio said users' authentication codes were not compromised, so the attackers should not have been able to access their exchange accounts. “We have seen no evidence that the threat actors accessed Tivillion's systems or other sensitive data,” the company said.
According to a report from Seeking Alpha, the hack was carried out by the ShinyHunters cybercriminal group, which “released a text file showing the 33M phone numbers registered with Authy.” In the year In 2021, the cybersecurity blog Restore reported that the same criminal group claimed responsibility for the AT&T data breach, which resulted in the release of 51 million customer data online.
Authenticator apps are developed to prevent SIM swap attacks, a social engineering technique that involves persuading a phone company to hand over a user's phone number to an attacker. Once the attacker takes control of the user's phone account, they use it to receive the user's 2FA code without having to physically get hold of the user's phone.
This type of attack is still prevalent today, as some users still accept 2FA codes through text messages instead. On June 12, blockchain security firm SlowMist reported that millions of dollars were lost to OKX users due to recent SIM swap attacks.
Magazine: Crypto-Sec: Phishing Scammer Targets Hedera Users, Address Poison Gets $70K
