15 Jan 2025

Twilio's Authy Breach: How 33 Million Phone Numbers Were Compromised

In a statement given to TechCrunch, Twilio spokesperson Kari Ramirez  said “The company has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

On June 27, 2024, the notorious hacker group ShinyHunters announced on online forum and dark web marketplace BreachForums that they had leaked data affecting 33 million phone numbers. This data breach targeted Twilio’s Authy service, a popular two-factor authentication (2FA) application. Twilio confirmed the breach at the beginning of July, revealing that threat actors had accessed private data, including phone numbers, due to a failure to authenticate an API endpoint.

Details of the Breach

Exploitation of Unsecured API Endpoint

On July 1, 2024 Twilio announced that third-party attackers had gained access to and downloaded private data linked to Authy accounts. This breach was the result of an unsecured API endpoint being exploited and PII including the following information exposed:

Massive List of Phone Numbers: Attackers fed a massive list of phone numbers into the unsecured API endpoint. 
 
 
 Validation and Information Retrieval: If the number turns out to be valid, the endpoint would provide information about the corresponding Authy account. 
 
 
 Leaked Data: The information included account IDs, phone numbers, account statuses, and device counts.

Potential Threats and Risks

Although Twilio believes that other private data remained secure, the compromised phone numbers and associated metadata were exposed to substantial risks.

Phishing Attacks: The data can be used to craft convincing phishing attacks.

Smishing Attacks: SMS-based phishing (smishing) can be executed using the stolen phone numbers. 
 
 
 SIM Swapping Attacks: Attackers can attempt SIM swapping to gain control of victims' phone numbers and access their accounts.  
 
 
 Further Exploits: ShinyHunters indicated that other hackers could use the stolen data in combination with other information to conduct additional breaches, including targeting cryptocurrency accounts.

Secondary Data Breach Involving AWS S3 Bucket

Twilio customers may also be at risk due to another data breach involving an unsecured Amazon Web Services (AWS) S3 bucket. This breach brought to light SMS-related data exchanged between January 1, 2024 and May 15, 2024. The breach details include:

IdentifyMobile Involvement: IdentifyMobile, a downstream carrier of Twilio's backup carrier iBasis, was responsible for the unsecured S3 bucket.

Exposed Data: The exposed data included SMS message bodies without login tokens and marketing campaigns.

Potential Personal Data Exposure: While Twilio has informed its customers about the exposed data, it could not rule out the possibility of personal data exposure.

Implications of the Breach

The breaches may have severe implications for Twilio and its users:

Identity Theft: Users' private information could be used for identity theft.

Financial Fraud: Compromised data can result in financial fraud.

Privacy Violations: Privacy of users is at significant risk.

Legal Consequences: Impacted users may be entitled to monetary damages and an injunction requiring changes to Twilio's cybersecurity practices.

These breaches underscore the critical need for robust API security and secure data handling practices to prevent unauthorized access and protect sensitive information

How the Breach Could Have Been Prevented

The primary vulnerability exploited in this breach was an unauthenticated API endpoint. To prevent such breaches, organizations should adhere to the following practices:

API Authentication: Ensure all API endpoints require proper authentication as it helps in preventing unauthorized access to sensitive data. 
 Rate Limiting: Implement rate limiting to prevent brute force attacks and large-scale data scraping. 
 Monitoring and Logging: Regularly monitor API usage and maintain logs to detect and respond to unusual activity promptly. 
 Regular Audits and Penetration Testing: Identify and address vulnerabilities through penetration testing and regular security audits.  
 Secure API Design: Follow best practices in API design, such as using HTTPS, validating input, and employing secure coding practices.

The Significance of API Security

Since APIs are the backbone of modern applications enabling communication between different software components, unsecured APIs can become entry points for cyberattacks, leading to data breaches, financial loss, and damage to an organization’s reputation. Ensuring API security is crucial to protecting sensitive data and maintaining user trust.

Steps Users Should Take to Protect Themselves

In view of the Twilio breach, Authy users should take the following measures to protect themselves:

Block Number Transfers: Contact your mobile service provider and set up your account to require a passcode for number transfers to prevent SIM swapping attacks. 
 Stay Alert for Phishing: Be cautious of suspicious text messages (SMS) asking for personal information or directing you to a website. Verify the sender's identity and avoid clicking on links or providing personal information in response to unsolicited messages.

How Rapifuzz Can Help?

The Twilio data breach underscores the importance of robust API security. By implementing proper authentication, rate limiting, monitoring, and regular security audits, organizations can protect themselves from similar attacks. Automated API Fuzzer RAPIFUZZ™ can play a critical role in bolstering an organization’s cybersecurity by:

Identifying the zero-day vulnerabilities in the initial phase itself i.e. in the development environment.

Providing you the recommendations for fixing and avoiding vulnerabilities.

Creating a detailed list of their API Inventory or the API-SBOM.

Easily test the rate limiting for each of their APIs

Test APIs to ensure that there is no sensitive and excessive data exposure

Check if the RestAPIs follow best practices and share the same with developers

Schedule API security testing to ensure all releases are tested before being released to the production environment

Ensuring that APIs comply with security best practices and industry standards aligning with OWASP API Security Top 10 2019 & 2023.

Text to Speech in Multiple Languages

In a statement given to TechCrunch, Twilio spokesperson Kari Ramirez said “The company has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

Details of the Breach

Exploitation of Unsecured API Endpoint

Massive List of Phone Numbers: Attackers fed a massive list of phone numbers into the unsecured API endpoint.
Validation and Information Retrieval: If the number turns out to be valid, the endpoint would provide information about the corresponding Authy account.
Leaked Data: The information included account IDs, phone numbers, account statuses, and device counts.

Potential Threats and Risks

Although Twilio believes that other private data remained secure, the compromised phone numbers and associated metadata were exposed to substantial risks.

Phishing Attacks: The data can be used to craft convincing phishing attacks.

Smishing Attacks: SMS-based phishing (smishing) can be executed using the stolen phone numbers.
SIM Swapping Attacks: Attackers can attempt SIM swapping to gain control of victims' phone numbers and access their accounts.
Further Exploits: ShinyHunters indicated that other hackers could use the stolen data in combination with other information to conduct additional breaches, including targeting cryptocurrency accounts.

Secondary Data Breach Involving AWS S3 Bucket

IdentifyMobile Involvement: IdentifyMobile, a downstream carrier of Twilio's backup carrier iBasis, was responsible for the unsecured S3 bucket.

Exposed Data: The exposed data included SMS message bodies without login tokens and marketing campaigns.

Potential Personal Data Exposure: While Twilio has informed its customers about the exposed data, it could not rule out the possibility of personal data exposure.

Implications of the Breach

The breaches may have severe implications for Twilio and its users:

Identity Theft: Users' private information could be used for identity theft.

Financial Fraud: Compromised data can result in financial fraud.

Privacy Violations: Privacy of users is at significant risk.

Legal Consequences: Impacted users may be entitled to monetary damages and an injunction requiring changes to Twilio's cybersecurity practices.

These breaches underscore the critical need for robust API security and secure data handling practices to prevent unauthorized access and protect sensitive information

How the Breach Could Have Been Prevented

The primary vulnerability exploited in this breach was an unauthenticated API endpoint. To prevent such breaches, organizations should adhere to the following practices:

API Authentication: Ensure all API endpoints require proper authentication as it helps in preventing unauthorized access to sensitive data.
Rate Limiting: Implement rate limiting to prevent brute force attacks and large-scale data scraping.
Monitoring and Logging: Regularly monitor API usage and maintain logs to detect and respond to unusual activity promptly.
Regular Audits and Penetration Testing: Identify and address vulnerabilities through penetration testing and regular security audits.
Secure API Design: Follow best practices in API design, such as using HTTPS, validating input, and employing secure coding practices.

The Significance of API Security

Steps Users Should Take to Protect Themselves

In view of the Twilio breach, Authy users should take the following measures to protect themselves:

Block Number Transfers: Contact your mobile service provider and set up your account to require a passcode for number transfers to prevent SIM swapping attacks.
Stay Alert for Phishing: Be cautious of suspicious text messages (SMS) asking for personal information or directing you to a website. Verify the sender's identity and avoid clicking on links or providing personal information in response to unsolicited messages.

How Rapifuzz Can Help?

Identifying the zero-day vulnerabilities in the initial phase itself i.e. in the development environment.

Providing you the recommendations for fixing and avoiding vulnerabilities.

Creating a detailed list of their API Inventory or the API-SBOM.

Easily test the rate limiting for each of their APIs

Test APIs to ensure that there is no sensitive and excessive data exposure

Check if the RestAPIs follow best practices and share the same with developers

Schedule API security testing to ensure all releases are tested before being released to the production environment

Ensuring that APIs comply with security best practices and industry standards aligning with OWASP API Security Top 10 2019 & 2023.