Twilio: Hackers Also Compromised Authy Users

pcmag.com:

Twilio has announced that Authy users, who rely on the multi-factor authentication (MFA) app to generate one-time passcodes, were compromised during a recent data breach.

The company said(Opens in a new window) on Aug. 7 that a successful phishing campaign against its employees gave a hacker access to internal systems that were then used to "access certain customer data." Twilio said on Aug. 10 that it believed 125 of its customers were affected by the breach. Now that number has risen to 163 customers—and that doesn't include the compromised Authy users.

Twilio says that its "investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users - out of a total of approximately 75 million users - and registered additional devices to their accounts." It also says that it has "since identified and removed unauthorized devices from these Authy accounts" and reached out to affected users.

The company has advised those users to review accounts linked to Authy for suspicious activity, checking on all of the devices connected to their Authy account, and disabling the "Allow Multi-device" setting within the app. The first two recommendations could help minimize the impact of this compromise; the last recommendation is meant to reduce the risk of future incidents.

Twilio notes in a support article(Opens in a new window) that "Allow Multi-device" is enabled by default so Authy users can maintain access to their MFA tokens if their device is lost, stolen, or otherwise unavailable. The company also highlights the ability to create these backups (or simply access tokens on multiple devices without repeating a setup process) in a comparison(Opens in a new window) to Google Authenticator.

T