Twilio confirms data breach after hackers leak 33M Authy user phone numbers

pembrook

While this sucks, my phone is in so many data breaches at this point it doesn’t matter.

The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.

If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.

jordigh

Took a while, but this commenter is finally correct:

> Why does Authy require I provide my cell phone number and email address? Why do I have to have a user account? This is completely ridiculous. I do not need nor want cloud syncing or backup. You are making Authy a potential target for attacks by associating a user to cloud stored 2FA information.

> This is not in the spirit of 2FA.

https://news.ycombinator.com/item?id=9100560

mihaaly

And they wonder in random organizations and businesses that I am not willing to give all my personal details right away on first contact despite their 'utmost importance' of handling my data very securely, all this just to be informed about their product. And they seems to be offended with a "but we did it so for many years now" on my refusal and saying goodbye if they try to insist this "company policy".

Unluckily sooo many give zero or negative fáck among their potential and existing customers. This includes businesses providing medical services sending all the clien't data and medical results in clear text email and even declaring for their own convenience that "The property and copyright or other intellectual property rights in the contents of any document or images provided to you shall remain our property", for your ultrasound results. Your medical results are their property for those use their services. So they do as they plase with their data, not your data, not your concern if it is protected or not. And people go there and rate this service 4.8 on google, insane. Of course no-one really reads TOC, not even for sensitive medical services. People do not learn.

kylehotchkiss

Twilio requires Authy for 2fa for sendgrid and maybe even twilio itself instead of supporting more standardized 2fa that’d allow 1pass to be used. This is all the more frustrating because I was forced to use Authy to protect an account instead of my regular tooling and they still managed to screw it up. Twilio, take a hint and stop forcing people to use your custom thing

  https://www.twilio.com/docs/sendgrid/ui/account-and-settings/two-factor-authentication

darkr

This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).

It took them two years to fix it.

snowwrestler

I use Authy’s iOS app to generate 2FA tokens for a few accounts. I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?

I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.

m00x

It's sad how awful Twilio's engineering has become. I used it super early on and it was amazing, and while they had hiccups, they were never major and they were growing pains.

Today they have incidents almost every week, and now data breaches.

duckmysick

> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests

How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?

Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".

localfirst

There really has to be steep repercussions for companies that fail to protect user data like this. At this point I can't help but feel that there is wilful neglect with the aim of exfiltrating data with unknowable aim.

Our digital data must be recognized as human rights but lately the world has been vocal about it but silent when it comes to action and enforcement.

More and more reason why people no longer trust cloud hosted solutions. Offline-first, local-first with optional data sync is the only path forward to combat violation of our rights to our own digital data.

Case in point, feeding haveibeenpwned with a bunch of HN user handles reveal a good chunk of you aren't even aware your data has been leaked, especially ironic since I see comments from those handles are very anti-regulation when it comes to user data ownership.

denkmoon

If you've got anything in Authy that isn't using the authy custom authentication scheme (ie. just regular TOTP) now is the time to get it out.

Exporting the raw totp tokens can only be done from the desktop version that is currently deprecated and scheduled to be nuked from existence later this year. It requires getting the tokens loaded into the desktop app, then downgrading to an older version so you can use the chrome remote debugger to run a javascript function against the desktop app (embedded chromium) which pulls out the raw tokens and gives them to you.

jonathanlydall

When I tried SendGrid it was super annoying that I had to install yet another Authenticator app on my phone. Now it’s become a point of data loss.

It’s bizarre to me that Twilio decided to get into the Authenticator business at all, especially while SendGrid had plenty enough problems to keep them busy.

vishnumohandas

We built ente.io/auth

If you need a cross platform authenticator, do check it out.

FOSS, optional e2ee backups.

jmbwell

iOS/iCloud has a built-in TOTP function also. Maybe better for friends and family than some people here.

https://support.apple.com/guide/iphone/automatically-fill-in...

29athrowaway

> due to an unauthenticated endpoint.

This is truly unacceptable for an authentication product.

An authentication product that doesn't implement authentication correctly in their own APIs?

smaddox

No wonder I've seen such a major spike in spam calls / texts.

hypeatei

I just migrated off of Authy last week but I was probably caught in this breach, ugh. Never liked it but they make it extremely difficult to export your data.

I used this project for exporting: https://github.com/alexzorin/authy

EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.

godzillabrennus

Authy is basically unsupported. Not surprised. I switched my accounts to 1Password when they announced the end of life of the macOS app.

ndneighbor

I guess this explains the recent uptick in spam...

blackeyeblitzar

Authy makes it hard to migrate away. Anyone know how to get the seed of the 2FA codes? Is there really no export option?

deegles

I have removed all SMS based 2FA from every account that allows it and you should too.

xyst

Terrible. Glad I moved away from Authy a long time ago. Small reminder that I need to delete the account though.

maerF0x0

It feels funny to say "Hacker" when it was just someone one using something on the open internet the way it was (defacto) designed for, and just used it a lot.

Like if I crawl hackernews and download all the somethings am I a "hacker"?

To me a hack is some kind of escalation of privilege beyond what I'm truly entitled to (such as stuffing passwords, tricking software to run a payload, crafting a payload for service A so that it tricks Service B) ...

Not using curl on a loop.

okokwhatever

I still remember how hard was the process to be hired in this company. Maybe just a mask to hide the sad truth.

zenkan

One major problem I see with this hack is that the phone numbers exposed in the leak is the single factor of authentication needed to get access to an Authy account, including all the MFA tokens that the account has saved.

If there are any high-profile victims in this list SIM Swapping those phone numbers should be a very attractive approach.

I think security cautious companies should consider turning off multi-device support and start planning for a migration. This leak feels way riskier to me than what media reports it to be.

instagib

For iPhone, put the phone in do not disturb. It will send all calls to voicemail. If someone is on your emergency contacts, favorites, or 1by1 focus then a repeated call will actually ring your phone. Otherwise no notification. Not even a text counter increase unless the person taps (notify anyway).

Tried to do the same on an android phone and it didn’t work.

You can also port your phone to google voice or Fi and give away all your call information to them. Very few spam calls get through their filter.

I like the change phone area code to out of area and block all phone calls from that area that some call services provide.

otterpro

The main reason I didn't use Authy was that it requested phone number when signing up, and it didn't make any sense to me why they'd need it. Since then, I've been using 2FAS, since there's no personal data that can be leaked.

ZunarJ5

I have to thank this hacker for motivating me to move fully off this app again. Stopped being useful without the desktop app.

simcollect

How come companies don't care about encrypting their users' data in their databases?

It's been possible for a very long time now.

Yet, companies keep leaking. And people keep sleeping.

otachack

As alternatives: I use Authenticator Pro on my phone and keep encrypted backups whenever I modify it. I know others have pointed out Aegis.

The issue is starting the migration out of Authy. Assuming Authy has no easy export, I suggest you migrate over a few entries at a time (maybe from top down) while keeping account of transfers somehow. You can have authenticators live side by side in the meantime!

gz5

consider* putting endpoints on a private overlay network in which network access is cryptography-gated (e.g. x.509 cert based).

then, a misconfigured endpoint (or a zero day etc.) can't be exploited by any_actor_on_the_internet - actors need to first complete the provisioning process you choose to enforce to be authorized to use the private overlay.

*not one size fits all, e.g. bad option if endpoints need to accept requests from unknowns.

however, many endpoints only need to accept requests from known (identified, authenticated, authorized) endpoints, and the added friction to id/authN/authZ get use the private overlay is not a business impediment.

there is a stigma here due to the horrors of NAC on private enterprise WANs. but NAC goals can be accomplished without that baggage via internet overlays and modern cryptography.

to be clear, i am by no means advocating to abandon traditional methods of endpoint auth - this it is just another layer which recognizes that single layers are rarely airtight (e.g. what just happened to Authy and Twilio).

bonestamp2

I recently setup a focus profile on my iPhone that only lets calls ring through from knowns contacts. There is going to be an adjustment period as I discover people and companies (such as doctors/hospitals) that I want to allow calls from and add them to the whitelist. But otherwise, it has been really nice to cut down on all of the interruptions.

xarope

I have resisted moving off Authy as I liked the idea of cross-platform cloud sync. That'll teach me. Any other suitable alternatives? Aegis is android only. I do run vaultwarden, but it means I need another 2FA to login to it, before I can use it as a 2FA for other sites.

Featherknight

Sucks that Twitch.tv still relies on it. My only service that uses it still, I’ve since migrated to other managers

MenhirMike

Does anyone have a recommendation for an Open Source 2FA OTP app? That's the only thing I use Authy for, to scan the QR Codes into the App and generate the 2FA tokens, but in a way that allows me to migrate to another phone without having to re-set all the 2FA tokens on the vendor side.

m4tthumphrey

I only answer the phone now if I know the caller or if I’m expecting a call, and even then I would usually let it go to voicemail and call them back.

Fire-Dragon-DoL

I had to use authy for damn twitch which couldn't go for normal authenticator. Thank you -.-

infecto

Good motivation to stop using Authy.

yakito

We should have something similar to Apple's hide my email for phone numbers

blackeyeblitzar

What’s a better 2FA product that is E2E encrypted and lets me export the seeds?

hi-v-rocknroll

Auth0, Authy, Okta, and the like were and are the fail of delegating critical functions to third-parties.

For authentication, authorization, and 2FA, run it yourself on-prem or go home.

delduca

I never trusted them, I hated the fact of having to use SMS.

andrewstuart

Can you imagine being the one to tell the CEO.

Dma54rhs

How to confirm if my number was one of the leaked ones?

486sx33

Damn 2FA with telephone numbers, I hate it!

awahab92

what do people use instead of twilio today? they make 2dcp verifications take too long

tristor

So fun story, I recently switched away from Authy for various reasons, but the key one was that I had to restore from a backup on a device and when I did so I realized the Authy had never actually deleted any of the 2FA/TOTP accounts I'd configured over the years, things that had been deleted on device literally 5+ years ago were still stored and available on request via their API.

In general, after that I started poking, and discovered a lot of things I hadn't bothered looking into before that make me extremely suspect of Authy's general security.

For those looking for an alternative, I use 2FAS and Yubico Authenticator with a Yubikey now. Yubikey only allows you to store up to 32 TOTP slots, which is very limiting (I have more than 60 TOTP accounts for 2FA), so I use two apps and "tier" my 2FA.

ehPReth

is this just like

anotherservicetwilioruined.example.com/api/doesthispersonhaveanaccount?phone=+12012000000

and then the service says 'yeah that number has an account' (and nothing else?)? then whomever repeats that for every possible phone number?

or... more than that?

ilrwbwrkhv

Jesus fucking Christ. Can these companies learn how to write software? Quality is dropping like dogs. Twilio used to be a good company and now they are utter shite. Such a shame. Leetcode and bad hiring practices have done this to our industry.

exabrial

That app is so dumb. Completely negated the usefulness of TOTP. Needs just to die already. Some executive over at Twilio signed the check for Authy acquisition and is still trying to justify the expense.

moffkalast

"Company who thought they'd lost all public trust loses last additional bit of trust they didn't even know they still had, more at 11."

rvz

My goodness, for the 100,000th time, just stop using phone numbers for 2FA. (I know you won't anyway)

There are no more excuses other than asking for your phone to be sim-swapped and your bank accounts or your wallets to be drained by call centers.

If this breach doesn't scare you from using phone number for 2FA, then maybe nothing ever will and AI and deep fakes will make this even worse.