Authy is a fairly popular app for using two-step authentication codes. This is used to protect logins to accounts of all kinds, such as social networks, shopping sites, etc. Today it is in the news due to the theft of millions of its users’ phone numbers. And this, as we will explain, is a major problem. Cybercriminals can use them to commit crimes.
What should be a security app to prevent account intruders can become a real problem. It doesn’t mean that they’ve stolen access codes, but having the phone numbers of millions of users can give hackers a significant advantage.
Problems for Authy
Specifically, 33 million phone numbers have been leaked. A cybercriminal has exposed a CSV text file containing all this information about the users of this popular application. Apparently, they have achieved this due to a poorly protected API endpoint.
The only thing they have stolen are the phone numbers. However, this does not mean that they cannot even get hold of the passwords, although to do so they would have to use social engineering, as we will explain to you. The fact that there are millions of users means that they have many options to succeed in certain people.
Authy has already taken steps to fix this poorly protected API endpoint. It has also released an update for its mobile app, for both iOS and Android. With this, they aim to increase security and take this precautionary measure to avoid hypothetical attacks.
Why it can be a problem
But why can stolen phone numbers be so dangerous? They can use them to obtain more data and even passwords. For example, they could send malicious SMS, trying to trick users into sharing two-step authentication codes, clicking on a link that leads to a fake website, or downloading a file that is actually malware.
They could also use other databases that may have been leaked to link those phone numbers and have more information about those users. They could find out data such as full name, email address, physical address, etc. With all that additional information, they would have more chances of success in their attacks.
As a user, you cannot see whether or not your number is on the stolen list. What you can do is prevent attacks. If you receive any suspicious SMS, never click on links, give out information, or download files that could be fraudulent. You may receive a phishing attack attempt of this type in the next few days.
If you no longer trust Authy and want to switch to another service, you can use alternatives such as Bitwarden Authenticator, Google Authenticator or Microsoft Authenticator. What you should always keep in mind is that it is very important to use two-step authentication to protect your accounts.
In short, Authy has been the victim of a major theft of 33 million of its users’ phone numbers. What cybercriminals can do is launch phishing attacks using this information. It is key to protect yourself and not make mistakes.