Earlier this month, Twilio became a target of a sophisticated social-engineering phishing attack compromising the accounts of several Signal users. Now, the American company has reported that the hackers had also gained access to the accounts of its two-factor authentication (2FA) service Authy.
The company released an Incident Report stating that the hackers could have accessed the unauthorized data by registering additional devices to the user accounts. Since then, the compromised accounts have been identified, and the company has removed the additional devices from the targeted accounts.
Data of Authy users may have been compromised
According to Twilio’s report, the tech giant suffered a data breach on August 4, 2022. The alleged hackers sent phishing messages to the company’s employees, including current and ex-workers. The messages claimed the perpetrator was from Twilio’s IT department. The messages persuaded the users to change their passwords because they were expired.
The hackers then asked the employees to visit a phishing page, which looked identical to Twilio’s website, including all the fonts, backgrounds, and UI. It was reported that one individual fell for the attack, ultimately leading the hackers to gain control of Twilio’s internal systems.
According to sources, the security team found that 163 Twilio customers had been affected by the breach, out of which 93 Authy accounts were compromised by the Threat Actors. While browsing through the data, the hacker could access specific customers’ data, including details of Authy’s users. However, the amount of users’ data compromised was limited as the company quickly responded to the attack and stopped the unauthorized access to data on its network.
Our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices to their accounts. We have since identified and removed unauthorized devices from these Authy accounts,” the report stated.
As of August 30, 2022, the additional devices were removed from the affected accounts, and the company notified the account owners. Twilio also shared best industry practices to protect Authy accounts via its blog. Authy is among the popular two-factor authentication applications and was acquired by Twilio in 2015.