Breach Debrief Series: Twilio’s Authy Breach is a MFA Wakeup Call

Hackers were able to check if a phone number was registered with Authy by feeding the number into an unauthenticated API endpoint. Using this data, hackers can conduct phishing campaigns to steal login credentials.

Hananel Livneh, Head of Product Marketing

Inside the Hack

Earlier this week, Twilio issued a security alert informing customers that hackers had exploited a security lapse in the Authy API to verify Authy MFA phone numbers. Hackers were able to check if a phone number was registered with Authy by feeding the number into an unauthenticated API endpoint. Using this data, hackers can conduct phishing campaigns to steal login credentials.

Twilio quickly addressed the issue and secured the API endpoint. However, they recommend that users update to the latest version of the Authy app and stay vigilant against phishing attempts. Twilio assured users that no other sensitive data appeared to be compromised.

Why is Twilio Important?

Twilio is a communication provider that supplies the communication infrastructure for many SaaS applications. Its API is integrated into software, and its Authy app sends one-time passwords and other automated messages that secure accounts and engage customers. In addition to SMS messages, Twilio can send MMSs, emails, and faxes, and enables users to make voice or video calls.

The one-time passwords generated byAuthy function as a multi-factor authentication (MFA), adding an extra layer of security to accounts. MFA makes it significantly more difficult to break into an account, even after the password is stolen.

Even if you aren’t a Twilio customer, it is likely that Twilio is one of the components powering the communication of a SaaS application you use.

What should be done in the wake of the Authy breach?

The risk from this breach to SaaS users is that threat actors will use the information they stole to conduct phishing attacks that compromise other SaaS applications. Security teams, app owners, and IT teams may see an increase in login attempts using stolen credentials.

The most important measure these teams can take is to continue using and enforcing MFA whenever possible. MFA is a critical aspect of authentication security, and is fundamental in reducing successful attacks.


Here’s a three-pronged approach to secure your SaaS apps:
Hardening: Require MFA verification for all applications. When available, use an MFA tool other than SMS, such as an authenticator app or security key. These offer a stronger defense against SIM-swapping attacks used to hijack phone numbers. Additionally, use an IP allow list to block access from outside the organization’s network or countries of operation.
Detection: Implement a threat detection system to identify suspicious login attempts, brute force attacks, MFA fatigue attacks, and other similar attacks.
Education: User education is paramount. Regularly educate users on phishing tactics, emphasize the need to verify senders, and train them to identify a suspicious link.

Conclusion

The Authy breach highlights the evolving landscape of cyber threats. By adopting a multi-layered approach that combines stronger authentication methods, robust detection systems, and user awareness, you can ensure MFA remains a powerful tool to prevent attacks on SaaS apps.

About the writer

Hananel Livneh, Head of Product Marketing

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political science and Philosophy (PPE). Oh, and he loves mountain climbing.