Twilio's Authy 2FA code generator service has experienced a pretty serious hack.
Update to the latest app versions - beware of phishing attacks
“Twilio has discovered that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken measures to secure this endpoint and no longer allow unauthenticated requests.
We have not seen evidence that the threat actors gained access to Twilio's systems or other sensitive data," the company sums up. It is unknown exactly how many accounts are affected, but it is therefore about 33 million mobile numbers.
We have not seen evidence that the threat actors gained access to Twilio's systems or other sensitive data.
As a precaution, we ask that all Authy users update to the latest Android and iOS apps for the latest security updates. Even if Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to be diligent and be more aware of the texts they receive.
Twilio
So what is "smishing?" IBM explains: “Smishing is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information or sending money to cybercriminals. The term "smishing" is a combination of "SMS" - or "short message service", the technology behind text messages - and "phishing".
The company encourages updating to the latest Android and iOS versions for security improvements and bug fixes. Twilio encourages anyone who cannot access their account to contact the service department.
In another Authy case, we reported in February that the company shut down its programs for Windows and macOS, so users had to move to the mobile apps by March this year.