Twilio’s investigation into the attack on August 4 reveals that hackers gained access to some Authy user accounts and registered unauthorized devices.
Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts where the feature is supported by identifying a second time via a dedicated app after typing in the login credentials.
When logging into an account with 2FA enabled, Authy will provide an additional one-time passcode required to login. This protects the account from being accessed even if the login credentials are compromised.
Because of this, it is vital to secure your Authy account, as if hackers gain access to it, they can logon to your compromised account.
The service is highly popular, rivaling Google’s Authenticator, and provides support for multiple devices, synchronizing the generated 2FA tokens across registered devices.
Compromised Authy accounts alerted
On Thursday, Twilio announced that the threat actor that gained access to its infrastructure on August 4 has also accessed accounts of 93 Authy users and linked devices to those accounts.
Twilio underlines that the compromised Authy accounts belong to individual users and represent a small fraction of the total number of 75 million users.
However, for those 93 users, the hackers would have been able to access the 2FA codes generated for the Authy users' accounts.
It is unclear if the 93 Authy users were specifically targeted by the hackers.
The company says that it has removed the unauthorized devices from the compromised accounts and has contacted the affected users to provide instructions on how to protect their accounts:
- Review any linked account(s) for suspicious activity and work with their account provider(s) if they have any concerns.
- Review all devices tied to their Authy account and remove any additional devices they don't recognize.
- To prevent the addition of unauthorized devices, we recommend that users add a backup device and disable “Allow Multi-device” in the Authy application. Users can re-enable “Allow Multi-device” to add new devices at any time. Specific steps can be found here.
The cloud communications company also says that its investigation identified 163 Twilio users whose data was accessed by the intruders for a limited period. They also received notifications about the unauthorized access.
The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.
In previous updates on the incident, Twilio said that the breach impacted 125 customers, as hackers were able to access their authentication information.
h/t: Drozta
Comments
eagleoceantree - 1 year ago
The article states that "for those 93 users, the hackers would have been able to access the 2FA codes generated for the Authy users' accounts". This is not corroborated by the Twilio press release. It's possible that this is the case for the small number of websites that use "Authy tokens". It's unlikely that this is the case for the majority of websites that use "authenticator tokens", better known as time-based one-time passcode (TOTP) tokens. Authy encrypts users' TOTP secrets with their backups password before upload to Twilio's servers and their backups password never leaves their device.
68616c - 1 year ago
Synced devices have the same exact TOTP codes and rotation schedules. That's why there is a recommendation to disable additional devices (reduce down to 1), to eliminate possibility of devices/apps added without your intent/approval.
Krisjohn - 1 year ago
That option needs to be labelled "allow adding devices" with a clear note that disabling it doesn't disconnect existing devices.