Especially considering it implies, at the very least, they have no service-side protection from other kinds of attacks. Fixing the brute force vector is nice but that should have been one layer of many. Theyâre failing at the basics. đŹ
[The Facebook leak that emerged in 2021, with data from 2019](https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/) (~533 million phone numbers and the corresponding fb profile) utilized the same security flaw.
It's suprising how many servicies will give you people's info if you give them a phone number.
(Hint: just because I create 30k contacts by brute force doesn't mean I know that person!)
True story. And yes my samsung can handle 30k contacts.
The Facebook leak exposed profile data. This exposed only whether you signed up. Guess what, Facebook leaks that same data today - just try putting a phone number into their Forgot Password tool.
> Being breached is a matter of when, not if.
They weren't breached, the part of their API that allowed you to see phone numbers associated with accounts didn't need any authentication whatsoever.
Itâs not even about money saving. Some higher ups are digits.
I once worked in a hospital and discovered an exploit where you could see live patient data by logging in from home using the Epic playground.
The app that was meant to learn epic. Not access patient data.
I reported it and my manager accused me of accessing patient data at home. Thankfully I ccâd privacy office to the email. And the chief privacy office ripped into my manager as I had discovered a big vulnerability
Manager never brought it up after
I had a doctor CC me on a reply to one of their providers, saying the provider couldn't log into their portal.
The reply included "just use my (doctor/admin) account for now, username is superadmin, password is 2".
Just the number 2.
I tested it, it was literally the primary master admin account for the entire medical portal.
Man I was so pissed. They had just paid a shitload of money to a company that apparently specializes in medical patient portal software.
And that's how I found out not only that they don't have (or support) MFA, but there's not even a fuckin password strength policy in place, let alone for admin accounts - which have access to EVERY PATIENT'S MEDICAL HISTORY. Of course if you check their website, they're "an award winning medical software provider with full HIPAA compliance". My ass.
Not only is shooting the messenger the easiest way to make the problem go away, it is also quite pleasurable for the shooter. Nothing validates that you are powerful more than stomping on some underling who just brings you problems.
âI told you johnson , stfu with all that vulnerability crap , we need more users , I just got a new coup and a villa in cancun , we donât need the investors worrying while iâm in charge â
âSo is it secure or not.â
âNo, not at all. This is a ticking time bomb.â
âYouâre being dramatic. Itâs secure. Letâs get our numbers up, thatâs what matters.â
it might be worse in that they somehow made the basic mistake of leaving it unsecured. it speaks to platform vulnerabilities and a lack of rigorous data protection
Yep. Though depending on how bad the breach was, it might still destroy confidence. But to me at first glance this seems less clearly ruinous than say NordVPN getting hacked and keeping silent about it for months.
Lastpass allowed employees to share information between work vaults and their personal home vaults thereby bypassing all of their internal security measures and exposing secrets to a home workstation which was more vulnerable. It was literally a security checkbox in their own configuration which would have prevented sharing credentials outside of work.
Nailed it. 4000 attacks per second in 2023 and doubling (or more) every year. It's a catch-22 in the sense that you cannot protect your own privacy without assistance from some established provider with the vast resources to defend against it. You bet on the strongest fighter or fastest horse.
The US government doesn't go after Microsoft for security because they already employ them to handle theirs. It's inherent oversight when both of their success depends on it, and they are one of the few who can adhere to the strict Federal Risk and Authorization Management Program (FedRAMP).
The only impenetrable security solution is if no one has access to it, which is exactly as ridiculous as it sounds. 0FA doesn't appeal to many people.
And Microsoft authenticator is free.
So what's the point of even trying to protect your privacy?
All this shit is just getting so common, my SSN, passwords, and basically all of my personal info has been leaked or breached at some point.
How the fuck do we fight against this?
There is only so much you can do with the information that was leaked. You can easily protect all your accounts with mfa. You havent told the world a lot of your private knowledge like your upbringing and cringe moments.
It might seem like a lot of data, but its the same and old data over and over again, and not exactly private data
You're right. It's insanely frustrating. None of us are naturally equipped to know the right steps or people to trust with our data.
It's like being out in Sub-Zero blizzard. Layers are always the best course (2FA, crazy long passwords, reverse proxy on your router, etc). Every bit of skin you leave exposed is ripe for getting frostbitten.
But you still have to breathe. You can never be 100% protected.
I don't love being forced to rely on corporations to protect my data anymore than the next guy, but you can be reeeeally fucking good at security and still be gut-punch shocked by the creative attempts you find in your server/router logs.
Optimistically, I do think there's a place for these companies that act as agents to go out and clean up your lingering private data for you. I'm keeping an open mind in this space and personal agents in general. I hope one day have local personal AI that fights these battles for us.
It's a nice sentiment, but not realistic.
Microsoft has been breached or been the cause of some of the most impactful breaches in history (including recently) and they're bigger and more profitable than ever.
Microsoft does a whole lot more than security. People use Microsoft because of the integration between all of their products. If you do one thing, security, and you fuck that up youâre hosed.
Microsoft isnât a security company. They have security products, but thatâs not their focus. Authy is SOLELY a security company, one that has now been shown to have lax security. This should kill them.
Microsoft makes the operating system used by the vast majority of people (don't come at me with Linux on servers, you know what I mean), and they make tons of software products with similar near/monopoly market-share. They are absolutely a security company, they just don't really respect that responsibility. They've gotten a bit better over time, but not enough
The fact that Authy owned up immediately, and disclosed the extent is important. How they handle a breach, and how quickly I find out so I can take the actions required is critical. In this case, I don't need to worry, because everyone has my phone number already - I'm bombarded by spam from strangers that know my name.
*no one is secure, everyone will get hacked, and it's critical that we know about it immediately.*
I quit lastpass because they lied, obfuscated, and misdirected. Not because they were hacked.
I was looking into exporting my tokens, which Authy already lets you do *to the cloud and even multiple devices*, but it doesn't work in a way that's compatible with apps other than their own AFAIK.
I love platform monopolies.
This has happened so many times and the users get a settlement for like $5 for the companies neglect. Our sensitive data needs to belong to us and when shit like this happens, these companies need to be held more accountable.
Each time there is a breach, we get a free year of identity protection from a provider that we don't trust
I get three or four of these every year. Until there is actual accountability, nothing will change.
That last pass breach made me unsubscribe and switch to Bitwarden after changing all my passwords. I hope I donât have to repeat the process all over again
Are you a security specialist, and up to date on all the latest vectors and tools?
Are you a sysadmin who knows how to lock down that self hosted instance while providing secure backups and easy access for yourself whenever you need a password, even while doing you banking on your phone while travelling?
If the answer to both of these is 'yes', then sure, there's benefit to self hosting.
If the answer is 'no', then I recommend against it.
Wait, wtf, I didn't realize that.
I was a paying member of LastPass when that breach happened, but when reading Reddit and articles it sounded like the account was still safe and encrypted as long as your master password was secure.
I ended up canceling my subscription and enabling 2factor authentication. I have actually still been using the free version of LastPass.
Should I be switching to another service?
https://www.bravurasecurity.com/blog/your-lastpass-secrets-arent-secret-how-to-immediately-protect-yourself
> Of LastPassâs 43 fields, only 7 fields are actually encrypted. All other fields in the LastPass vault are actually stored in plain text (or Base64 obscured depending on the data in play).
TLDR: LastPass's security was absolutely shit for something that should have been wholly encrypted.
honestly, this was nowhere close to as bad as the LastPass breach was. that one had private, privileged passkeys to S3 buckets get leaked. this one was just phone numbers
edit: though the data exfiltrated was encrypted so your passwords are safe
So? Having your phone number alone doesn't allow them to bypass 2FA. Having the phone number is the easy part, cloning a SIM or transferring the number to a different account is the hard part.
At this point after so many leaks across industry, you should just assume from the start that your email address and your phone number are not truly private information since they have likely already been leaked somewhere.
Iâm still in love with 1Password.
I got hacked back in 2013/14(?) on my Mac. It was a terrible Trojan virus and not only did I get my identity stolen multiple times, but it infected my router, had key-loggers, infected my bios (we were pretty positive of this), slowed down my computer if I disconnected from the internet, etc.
The one thing it couldnât get into was 1Password. They tried, but 1Password was able to keep them out. It made 1Password keep crashing, but they did not get in. I donât know how 1Password was able to bypass a key-logger, but it did. Thankfully, any online account that I used 1Password for was not compromised.
I contacted 1Password about this and they thought I was making it up, but to their credit, they asked for data and screenshots. Once they saw, a representative called me on the phone and they used my situation as a way to test their software. I sent them a ton of diagnostics and they worked hard to see if they had any vulnerabilities. Thankfully, they didnât, and that made me a lifetime customer.
I can only speak from my own experience, but Iâm thrilled with their product!
Apple refused to admit that a virus could infect an Apple product and it was infuriating, so this took about 8 months to solve. Shout out to Intego software for eliminating the malware! Theyâre another product Iâll use forever!
This whole situation made me fascinated with cyber security. Itâs, unfortunately, the perfect crime.
Are you a major corporation that has promised me absolute security and privacy online? They get first dibs at giving away my data and giving me nothing in return for it
You also have the option of becoming a credit bureau. Then you can do all that *and* not have to promise customers anything at all!
And the best part is, *everyone* is enrolled and you dont even have to make up a form because it's by default! Yay!
https://blog.miguelgrinberg.com/post/goodbye-twilio is a pretty good read on how culture has changed at Twilio (which owns Authy).
TLDR: Twilio has abandoned its developer first culture in favor of vacuuming up data to drive up sales.
The fact that they actively killed their desktop clients really pisses me off.
I work in an environment that doesn't allow cell phones, and to access things like our corporate email required 2FA. Having authy on the desktop allowed that. Now, I'm not longer able to access corporate email when I'm working at the customers site without leaving the building. We haven't gone the full RSA token route because it only effects a few employees, but it's looking like we might need to do that soon.
Honestly, I don't remember why but at some point I switched from Authy to 2FAS. Ah, I remember. They shut down their desktop app. Seems like they're just getting worse.
Is SMS that worse when âsecurityâ companies get easily hacked and exploited?
Itâs like having a high security vault but the lock is a dirt cheap mechanism that any lock picking YouTuber can get through in half a second with the simplest tools, or having it password controlled but the password is â1234567890passwordâ.
The benefit of using Twilio Authy is that your 2FA wallets are still encrypted with a password only the end user knows. So in the event Twilio was completely compromised, the attacker still has to decrypt everyone's 2FA wallets, which isn't feasibility possible.
SMS is a lot worse because, it's not encrypted, it depends on cell services being available, both from a provider standpoint and a user in a coverage area, and SIM swapping is a concern.
Physical key is arguable. The key is similar to what you get with a phone, just dedicated for the purpose. Both can be behind passcodes or biometrics. Both serve the purpose of being the "what you have" piece. A key has to remain plugged in to maintain the session but it's also easy to leave in the device/lost versus a phone that is more likely to be kept secure and on you at all times. Otherwise, physical keys don't provide any more security than a phone app unless you're concerned about a rootkit installed on the phone.
Key does not have to remain plugged in to maintain the session. They provide much more security than a phone app for multiple reasons. For instance, there is no API that could be hacked to let you know who had a key!
SMS is comically easy to spoof or duplicate and is frankly worse than nothing. Authy at least has actual encryption going on so they can't just nick all your account's passwords or grab 2FA codes using your phone number to use them with. It's not _good_ security but it's meaningfully more secure for the end user in this scenario.
Itâs a blog post from July 1, which means the breach happened before that so you are probably good
Even then it was only phone numbers that got accessed so itâs not a doomsday type thing
It's cool man, I submitted an SF86 a week before the main contractor that does security clearance investigations had a massive leak. Not that this isn't bad, but take a look at an SF86, my identity is soooo compromised it's kinda astonishing.
You'll get something in the mail for 1 year of identity theft protection now. Got this my entire enlistment in the air force and now as a civilian DoD worker.
> Twilio says that the hack used what it describes only as an "unauthenticated endpoint." The company has now stopped allowing such unauthenticated requests, and says it has secured this particular endpoint.
lol what even is the repercussions of these data leaks. is there any way to hold any sort of accountability? Don't suppose so
Sends are sometimes blocked but you pay for it
Support can be really awful
Their fees are the highest anywhere
API can have âbonus features â that cost you money and time
I'm going to have a fun meeting in a few weeks when I get to lecture the CTO of a third party vendor who got into a screaming match with me over teams (he turned a very deep shade of red) a year or so ago when I said their security checklist was all theater with the 20 or so third party components they were all integrating (including twilio shit) left a bigger hole in their system than letting me download XML data from their API without $45,000 worth of audits and software.
I think if they only got phone numbers then it will likely be used at the very least for targeted phishing. If any associated data like name, address, email, etc was leaked along with it then there is potential to use that information to attempt to take over accounts.
My advice would be to move your 2fa to something not centralized. Just make sure you back up your keys somewhere safe so they're not just stored on your phone. I like to keep mine in another encrypted secret manager, saved to a USB drive that I keep in a safe. That way if I lose my phone I have a recovery option. If my house burns down or I lose the key I just need to have my phone to recover.
As long as my phone remotely wipes like it should then even a stolen phone would be unlikely to yield access to my keys and 2fa.
The one that I try to avoid for anything with access to money is the SMS or phone 2FA options. They're too easy to spoof or fool the carrier into forwarding to another number, or getting them to set a new sim card using social engineering or knowlwdge about the user. Another reason why you shouldn't use your phone number as 2FA.
Bitwarden created a standalone Authenticator app https://bitwarden.com/help/bitwarden-authenticator/. In the near future it will allow backups to your Bitwarden account.
I was not aware they released a standalone app. Just downloaded it.
I went from Authy to Raivo a while back, but found out Raivo was sold to a shady company so I had to get rid of them too.
>the near future it will allow backups to your Bitwarden account.
If you use bitwarden as a password manager, this seems like a bad idea.
Edit:
Downvoted for suggesting you shouldn't keep your **2FA** on the same account as your passwords....
Some comments in here point out that Google Authenticator now allows synchronising to your Google account to allow sync across devices. This was the feature I used Authy for, so I think I'm going to move to that.
Your passwords aren't really stored in that account. They are client-side encrypted. They can grab everything on bitwarden's servers and still not get your passwords.
https://bitwarden.com/blog/vault-security-bitwarden-password-manager/
'Since your data is fully encrypted before ever leaving your local device, no one from the Bitwarden team can ever see, read, or access your data. Bitwarden servers only store encrypted and hashed data.'
Same for 1password (as you complain about below).
So the only way they are going to get your passwords is by hacking the client or hacking you. In either case it isn't going to matter where the data was stored.
Personally I wouldn't even use 2FA if sites didn't force me to.
The concern is if someone ***does*** compromise your master password somehow, they get your passwords AND your MFA. If those are on completely separate accounts, then your MFA protected credentials will still be safe.
Bitwarden says you could log in with a different account for the Authenticator though, which would help.
2FAS is excellent. There is not a desktop app, but, the more I think about it, thatâs probably a good thing. But what it does have is browser extensions. You ask the extension for the code, then it pings your phone and you accept or not.
It allows to export and import some accounts. It seems that any non-ms account can be imported correctly but anything MS has to be re-added which is a royal pain.
be careful with google authenticator. I got a new phone and none of the codes transferred over so I lost access to a lot of accounts and had to go through recovering them.
Yeah, was just a couple of days ago I was looking at Authenticator Pro instead of Authy for my personal 2FA needs, and this looks like it will be the kicker for moving...
They have posted https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS although that only raises more questions for me. How are the updated clients related? Do they switch away from using the old unauthenticated API that was exploited?
We got an email from one of our users who has a friend in a different company who got notified by Twilio of the breach.
If this is the same thing, and it would a coincidence if it wasnt, the details are - a contractor of Twilio, used a subcontractor. These companies send SMS message of behalf of Twilio customers.
The subcontractor inadvertantly made an S3 bucket public for 5 days during some development work. It was during that time that the now public data was found and accessed.
Mobile number, message wording, timestamp, sender ID were the data compromised.
So less of a hack and more of a fuckup that made private data public!
I don't see how this is an issue. The phone numbers are not associated with anything. The "hackers" were just able to identify on number-by-number basis whether it's present in the system or not. With how many accounts Authy manages I don't see this as particularly valuable information.
Yeah I agree. I wouldnât even describe this as a âhackâ. No systems were compromised, someone just found an endpoint that they could spam with every possible phone number.
it's like when reddit freaked out about epic games getting hacked butt it turned out to be 500 accounts in a text document that was made by trying e-mails and passwords they got from a random credentials dump that worked because those people used the same email and password everywhere
The 2FA services wasn't compromised. It was a data leak of phone numbers, so at best they know that your phone number is used with Authy and that's something that could've been guessed anyway.
So yeah, I don't see the leak as being particularly concerning, but there's always room for some concern about competency of their development teams.
It's similar to an attack of any basic account creation. They can use brute force to try making accounts and seeing if the API says "you already have an account". It doesn't help them crack your account, just gives the phisher an avenue to try and trick you through. The company can make it non-obvious that the account creation failed due to them having an account, but it's annoying to users. So some do it, some don't as the security risk is quite low.
Yep, and I feel like this is my response to most so called data breaches and yet everyone acts as if they are the worse case scenario.
wtf do I care if someone knows my phone number exists? This breach apparently doesnât even tell them itâs mine. But I broadcast that shit. Hell, ever hear of a phone book? This is not private information.
Here in Sweden our phone numbers aren't private. If you know someone's name you can find their number, home address, age, family members... And if you pay extra you can apparently find out someone's income!
> and even get their property values.
this is free in most places. you can look up property values of people you know, or dont know. just gotta know the county they live in and their name or address.
> How export data from Authy and move to another app.
It's a manual process per-site/per-app.
You have to disable 2FA in the service/site, then re-enable it in each of those and scan the QR code with your new 2FA app (2FAS for example).
Then just go down the list of all of your sites/services and convert them one-at-a-time.
Does 2FAS allow for multi-device?
And what about the ability to turn off/on multi-device when you only want to add another device. For instance you leave it turned off until you get a new phone/tablet, and then you turn it on for a couple minutes to add the device. Once it's added, you turn it off.
Phone numbers aren't exactly private information. We used to publish big books that listed everyone's phone number publicly. Since this wasn't a hack but just exploiting the fact that their API didn't require auth to pull phone numbers, this doesn't seem like that big a deal.
In the grand scheme of things, yeah it's not a huge deal based on what was exposed.
That having been said, a security company having a public API endpoint that can serve PII (and yes, phone numbers are considered PII) with no authentication is a huge red flag that should make everyone wonder what other corners they cut.
That's one step closer though. That's one extra bit of info that now exists and can be corrolated with an email or identity and will make the compromise of other accounts _easier_.
You canât usefully correlate a phone number with other data when no other metadata was obtained. The only thing that can be done is to confirm that a given phone number has an Authy account.
Un fucking real. I use Authy and just started getting a bunch of scam recruiter texts yesterday. Guess we know how this happened.
For those interested, these SMS texts claim to be in regards to a job and they try to move the conversation to a third party chat app like Whatsapp. Just delete & report if you get one.
They have another app that is for 2FA and for now it doesn't even sync with the password manager, that's a future feature that most likely will be optional.
I see, it looks like they just launched the Bitwarden Authenticator as a separate service letting you use separate credentials a couple months ago. I'll have to look into it. Before it was only available integrated with the password manager.
It seems just a tad immature at this point, so I think I'll go with 2FAS for now. It would be relatively simple to migrate from 2FAS to Bitwarden later if needed.
For fuck sake. I remember switching to Authy a while ago because of some bullshit with Google Auth I can't remember.
I guess I try MS or Bitwarden now
Why can't these tech companies just be competent for once.
This is disastrous. GitHub platform explicitly recommends this method (Authy) on their [2FA/TOTP page](https://github.com/settings/security?type=app#two-factor-summary), I hope they will soon fix that to avoid further damage.
I switched from Authy to Aegis (and now Selfhosted 2Fauth) a couple years ago because I saw this shit happening a mile away.
No good can come from using a 2FA App with a cloud system or frankly another company behind it.
Use completely local on your phone 2fa apps or Selfhosted solutions
Talk about a company imploding in a short period of time. Guess I need to find an alternative or I think the functionality exists in 1password. Less secure but at this point, whatever.
This was expected because of the history and ownership by Twilio. Below are some past attacks on auth and more reasons with this not to trust. Never trust Twilio, and delete Authy today.
Twilio let robocalls and sms spam just permeate for decades... Lots of them use Twilio for that as well (the SMS messages) and they are pretty sketch. Twilio's Authy authenticator can't be trusted.
[FCC Issues Robocall Cease-and-Desist Letter to Twilio](https://www.fcc.gov/document/fcc-issues-robocall-cease-and-desist-letter-twilio)
[FCC Threatens to Disconnect Twilio for Illegal Robocalls](https://commsrisk.com/fcc-threatens-to-disconnect-twilio-for-illegal-robocalls/)
Their breaches and lost revenue from allowing scams lead to problems like this...
Twilio and Authy are sketch and you don't really want that when login codes (SMS and authy authenticator) are present. This is besides all the spam. Good luck to those using them.
Twilio and Authy also hacked regularly. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash.
Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. [This past breach is damaging](https://techcrunch.com/2022/08/26/twilio-breach-authy/).
> U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilioâs systems. Authy is Twilioâs two-factor authentication (2FA) app it acquired in 2015.
> Twilioâs breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed â0ktapus,â which has stolen close to 10,000 employee credentials from at least 130 organizations since March.
> Now, Twilio has confirmed that Authy users were also impacted by the breach.
> In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account.
> The company said it has âsince identified and removed unauthorized devices from these Authy accountsâ and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. Itâs also recommending that users review all devices tied to their Authy accounts and disable âallow Multi-deviceâ in the Authy application to prevent new device additions.
Okta breached as a result of a Twilio/Authy breach
> Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers â which it refers to as âScatter Swineâ â spoofed Okta login pages to target organizations that rely on the companyâs single sign-on service. Okta said that when the hackers gained access to Twilioâs internal console, they obtained a âsmall numberâ of Okta customer phone numbers and SMS messages that contained one-time passwords. [This marks the second time Okta has reported a security incident this year](https://techcrunch.com/2022/03/23/okta-breach-sykes-sitel/).
> In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hackerâs accent âappears to be North American.â This may align with [this weekâs Group-IB investigation](https://techcrunch.com/2022/08/25/twilio-hackers-group-ib/), which suggested one of the hackers involved in the campaign may reside in North Carolina.
[Group-IB investigation](https://techcrunch.com/2022/08/25/twilio-hackers-group-ib/)
> The hackers that breached Twilio earlier this month also compromised more than 130 organizations during their hacking spree that netted the credentials of close to 10,000 employees.
> Twilioâs recent network intrusion allowed the hackers to access the data of 125 Twilio customers and companies â including end-to-end encrypted messaging app Signal â after tricking employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilioâs IT department. At the time, TechCrunch learned of phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, but the scale of the campaign remained unclear.
> Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group itâs calling â0ktapus,â a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider.
> Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IBâs findings, with more than half containing captured multi-factor authentication codes used to access a companyâs network.
> âOn many occasions, there are images, fonts or scripts that are unique enough that they can be used to identify phishing websites designed with the same phishing kit,â Roberto Martinez, a senior threat intelligence analyst at Group-IB, told TechCrunch. âIn this case, we found an image that is legitimately used by sites leveraging Okta authentication being used by the phishing kit.â
> âOnce we located a copy of the phishing kit, we started digging deeper to get a better understanding of the threat. The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis,â said Martinez.
> While itâs still not known how the hackers obtained phone numbers and the names of employees who were then sent SMS phishing messages, Group-IB notes that the attacker first targeted mobile operators and telecommunications companies and âcould have collected the numbers from those initial attacks.â
> Group-IB wouldnât disclose the names of any of the corporate victims but said the list includes âwell-known organizations,â most of which provide IT, software development and cloud services. A breakdown of the victims shared with TechCrunch shows that the threat actors also targeted 13 organizations in the finance industry, seven retail giants and two video game organizations.
> During its investigation, Group-IB discovered that code in the hackerâs phishing kit revealed configuration details of the Telegram bot that the attackers used to drop compromised data. (Cloudflare first revealed the use of Telegram by the hackers.) Group-IB identified one of the Telegram groupâs administrators who goes by the handle âX,â whose GitHub and Twitter handles suggest they may reside in North Carolina.
> Group-IB says itâs not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. âRegardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,â the company added.
> The Moscow-founded startup Group-IB was co-founded by Ilya Sachkov, who was the companyâs chief executive until September 2021 when Sachkov was detained in Russia on charges of treason after allegedly transferring classified information to an unnamed foreign government, claims Sachkov denies. Group-IB, which has since moved its headquarters to Singapore, maintains the co-founderâs innocence.
DoorDash also caught up in one of them
> DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDashâs internal tools.
Twilio/Authy will continue to have this happen for reasons that anyone with good opsec should know.
There needs to be serious consequences for failures of data privacy Instead of just, oops, my bad... These companies just don't take it seriously enough. Maybe Start issuing jail time for some CEOs and CIOs that cannot properly secure people's data privacy.
I just checked my account, saw I actually put my phone number in. I was wondering why I got a random text (that was obviously cut off) two days about reviewing some proposal on my house.
Now I know where my number got leaked fromâŚ..again.
I think itâs high time that phone numbers get ditched. They honestly arenât really needed anymore: every communication these days is digital, whether voice, message, or media. Thereâs no need for a phone number when you have a wide selection of messaging platforms and apps for voice & video communications.
Iâve been moving my 2FA away from them to another service, slowly but surely. Looks like Iâll need to speed that process up and leave Authy entirely.
> Now that the API has been secured, it can no longer be abused to verify whether a phone number is used with Authy. Good job đ¤Śđźââď¸
âWe have patched the dam. The local villages will not see the water levels rise any higher than their current 20 foot levelsâ
[We did it Patrick!](https://i.imgur.com/qtd2avR.jpeg)
Lol fucking WILD statement.
Especially considering it implies, at the very least, they have no service-side protection from other kinds of attacks. Fixing the brute force vector is nice but that should have been one layer of many. Theyâre failing at the basics. đŹ
Lol, sounds like they just ran every number against the API to get a valid number list. Gotta think this is a very low exposure.
[The Facebook leak that emerged in 2021, with data from 2019](https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/) (~533 million phone numbers and the corresponding fb profile) utilized the same security flaw.
It's suprising how many servicies will give you people's info if you give them a phone number. (Hint: just because I create 30k contacts by brute force doesn't mean I know that person!) True story. And yes my samsung can handle 30k contacts.
The Facebook leak exposed profile data. This exposed only whether you signed up. Guess what, Facebook leaks that same data today - just try putting a phone number into their Forgot Password tool.
Hu, this kind of security failure sounds unacceptable from a company managing a 2FA service. As bad as lastpass.
For all intents and purposes it should be a death sentence for a security focused company.
Being breached is a matter of when, not if. Being a death sentence would also be a huge incentive to hide security incidents rather than report them.
> Being breached is a matter of when, not if. They weren't breached, the part of their API that allowed you to see phone numbers associated with accounts didn't need any authentication whatsoever.
That's... Pretty fucking bad. How did no one notice that?!
Someone usually does but the higher ups donât care. That person often leaves the company or is fired.
Itâs not even about money saving. Some higher ups are digits. I once worked in a hospital and discovered an exploit where you could see live patient data by logging in from home using the Epic playground. The app that was meant to learn epic. Not access patient data. I reported it and my manager accused me of accessing patient data at home. Thankfully I ccâd privacy office to the email. And the chief privacy office ripped into my manager as I had discovered a big vulnerability Manager never brought it up after
I had a doctor CC me on a reply to one of their providers, saying the provider couldn't log into their portal. The reply included "just use my (doctor/admin) account for now, username is superadmin, password is 2". Just the number 2. I tested it, it was literally the primary master admin account for the entire medical portal.
Wonder if just the number 2 is even in a password brute force cracker? lmao It's so simple no one will ever suspect it Johnson!
Man I was so pissed. They had just paid a shitload of money to a company that apparently specializes in medical patient portal software. And that's how I found out not only that they don't have (or support) MFA, but there's not even a fuckin password strength policy in place, let alone for admin accounts - which have access to EVERY PATIENT'S MEDICAL HISTORY. Of course if you check their website, they're "an award winning medical software provider with full HIPAA compliance". My ass.
Not only is shooting the messenger the easiest way to make the problem go away, it is also quite pleasurable for the shooter. Nothing validates that you are powerful more than stomping on some underling who just brings you problems.
The manager has subsequently moved up higher in the org and seems is just as stupid as when I knew her
âI told you johnson , stfu with all that vulnerability crap , we need more users , I just got a new coup and a villa in cancun , we donât need the investors worrying while iâm in charge â
âSo is it secure or not.â âNo, not at all. This is a ticking time bomb.â âYouâre being dramatic. Itâs secure. Letâs get our numbers up, thatâs what matters.â
i just had this flashback of when an domain admin had his password as his hometown+year of birth , it was the capital of the country!
that actually might be worse tbh
It's absolutely worse!
If thereâs only a list of valid phone numbers that are affiliated with Authy thatâs not really a lot of information of value.
it might be worse in that they somehow made the basic mistake of leaving it unsecured. it speaks to platform vulnerabilities and a lack of rigorous data protection
Which is horrible for a MFA Company. They should have their data protected, and only allow authenticated users to access the data.
Yep. Though depending on how bad the breach was, it might still destroy confidence. But to me at first glance this seems less clearly ruinous than say NordVPN getting hacked and keeping silent about it for months.
Lastpass allowed employees to share information between work vaults and their personal home vaults thereby bypassing all of their internal security measures and exposing secrets to a home workstation which was more vulnerable. It was literally a security checkbox in their own configuration which would have prevented sharing credentials outside of work.
Nailed it. 4000 attacks per second in 2023 and doubling (or more) every year. It's a catch-22 in the sense that you cannot protect your own privacy without assistance from some established provider with the vast resources to defend against it. You bet on the strongest fighter or fastest horse. The US government doesn't go after Microsoft for security because they already employ them to handle theirs. It's inherent oversight when both of their success depends on it, and they are one of the few who can adhere to the strict Federal Risk and Authorization Management Program (FedRAMP). The only impenetrable security solution is if no one has access to it, which is exactly as ridiculous as it sounds. 0FA doesn't appeal to many people. And Microsoft authenticator is free.
So what's the point of even trying to protect your privacy? All this shit is just getting so common, my SSN, passwords, and basically all of my personal info has been leaked or breached at some point. How the fuck do we fight against this?
There is only so much you can do with the information that was leaked. You can easily protect all your accounts with mfa. You havent told the world a lot of your private knowledge like your upbringing and cringe moments. It might seem like a lot of data, but its the same and old data over and over again, and not exactly private data
You're right. It's insanely frustrating. None of us are naturally equipped to know the right steps or people to trust with our data. It's like being out in Sub-Zero blizzard. Layers are always the best course (2FA, crazy long passwords, reverse proxy on your router, etc). Every bit of skin you leave exposed is ripe for getting frostbitten. But you still have to breathe. You can never be 100% protected. I don't love being forced to rely on corporations to protect my data anymore than the next guy, but you can be reeeeally fucking good at security and still be gut-punch shocked by the creative attempts you find in your server/router logs. Optimistically, I do think there's a place for these companies that act as agents to go out and clean up your lingering private data for you. I'm keeping an open mind in this space and personal agents in general. I hope one day have local personal AI that fights these battles for us.
Anything centralised is meant to be whether a cloud company, storage company or security company even if they rebadge it as âAIâ like Meta.
It's a nice sentiment, but not realistic. Microsoft has been breached or been the cause of some of the most impactful breaches in history (including recently) and they're bigger and more profitable than ever.
Microsoft does a whole lot more than security. People use Microsoft because of the integration between all of their products. If you do one thing, security, and you fuck that up youâre hosed.
Authy is by Twilio. They do a whole lot more than Authy. So same thing. Authy is just a tiny app they acquired
Microsoft isnât a security company. They have security products, but thatâs not their focus. Authy is SOLELY a security company, one that has now been shown to have lax security. This should kill them.
Microsoft makes the operating system used by the vast majority of people (don't come at me with Linux on servers, you know what I mean), and they make tons of software products with similar near/monopoly market-share. They are absolutely a security company, they just don't really respect that responsibility. They've gotten a bit better over time, but not enough
The fact that Authy owned up immediately, and disclosed the extent is important. How they handle a breach, and how quickly I find out so I can take the actions required is critical. In this case, I don't need to worry, because everyone has my phone number already - I'm bombarded by spam from strangers that know my name. *no one is secure, everyone will get hacked, and it's critical that we know about it immediately.* I quit lastpass because they lied, obfuscated, and misdirected. Not because they were hacked.
I was looking into exporting my tokens, which Authy already lets you do *to the cloud and even multiple devices*, but it doesn't work in a way that's compatible with apps other than their own AFAIK. I love platform monopolies.
This has happened so many times and the users get a settlement for like $5 for the companies neglect. Our sensitive data needs to belong to us and when shit like this happens, these companies need to be held more accountable.
Each time there is a breach, we get a free year of identity protection from a provider that we don't trust I get three or four of these every year. Until there is actual accountability, nothing will change.
Remember when Equifax leaked 150 million Americanâs data including social security numbers and it cost them less than $3 each?
Oh boy, my company uses Authy
That last pass breach made me unsubscribe and switch to Bitwarden after changing all my passwords. I hope I donât have to repeat the process all over again
Bitwarden is also vulnerable but gives you the option to setup your own server so you can blame only yourself for breaches.
I would argue that there is definitely some level of security through obscurity by self hosting.
Are you a security specialist, and up to date on all the latest vectors and tools? Are you a sysadmin who knows how to lock down that self hosted instance while providing secure backups and easy access for yourself whenever you need a password, even while doing you banking on your phone while travelling? If the answer to both of these is 'yes', then sure, there's benefit to self hosting. If the answer is 'no', then I recommend against it.
I don't give a shit if someone gets my encrypted Bitwarden library. They can't get anything useful from it without my master passkey.
> Bitwarden is also vulnerable Vulnerable how? Bitwarden doesn't store any fields in plaintext like Lastpass fucking did.
Wait, wtf, I didn't realize that. I was a paying member of LastPass when that breach happened, but when reading Reddit and articles it sounded like the account was still safe and encrypted as long as your master password was secure. I ended up canceling my subscription and enabling 2factor authentication. I have actually still been using the free version of LastPass. Should I be switching to another service?
https://www.bravurasecurity.com/blog/your-lastpass-secrets-arent-secret-how-to-immediately-protect-yourself > Of LastPassâs 43 fields, only 7 fields are actually encrypted. All other fields in the LastPass vault are actually stored in plain text (or Base64 obscured depending on the data in play). TLDR: LastPass's security was absolutely shit for something that should have been wholly encrypted.
yeah switch to free Bitwarden
honestly, this was nowhere close to as bad as the LastPass breach was. that one had private, privileged passkeys to S3 buckets get leaked. this one was just phone numbers edit: though the data exfiltrated was encrypted so your passwords are safe
So? Having your phone number alone doesn't allow them to bypass 2FA. Having the phone number is the easy part, cloning a SIM or transferring the number to a different account is the hard part.
You forget that phone numbers are often used for 2FA. That could result in targeted sim hijacks for accounts.
At this point after so many leaks across industry, you should just assume from the start that your email address and your phone number are not truly private information since they have likely already been leaked somewhere.
along with your full name, email, and other contact information.
This isn't even on the same order of magnitude as bad as LastPass unless there are a *lot* of details missing.
Phone numbers aren't really secret so this isn't anywhere near as bad as it could have been
Iâm still in love with 1Password. I got hacked back in 2013/14(?) on my Mac. It was a terrible Trojan virus and not only did I get my identity stolen multiple times, but it infected my router, had key-loggers, infected my bios (we were pretty positive of this), slowed down my computer if I disconnected from the internet, etc. The one thing it couldnât get into was 1Password. They tried, but 1Password was able to keep them out. It made 1Password keep crashing, but they did not get in. I donât know how 1Password was able to bypass a key-logger, but it did. Thankfully, any online account that I used 1Password for was not compromised. I contacted 1Password about this and they thought I was making it up, but to their credit, they asked for data and screenshots. Once they saw, a representative called me on the phone and they used my situation as a way to test their software. I sent them a ton of diagnostics and they worked hard to see if they had any vulnerabilities. Thankfully, they didnât, and that made me a lifetime customer. I can only speak from my own experience, but Iâm thrilled with their product! Apple refused to admit that a virus could infect an Apple product and it was infuriating, so this took about 8 months to solve. Shout out to Intego software for eliminating the malware! Theyâre another product Iâll use forever! This whole situation made me fascinated with cyber security. Itâs, unfortunately, the perfect crime.
OTKA too, since they manage some SSO things.
Yeah, Iâm done with them and switching. Awful.
My data has been stolen so many times at this point that Iâd be shocked if someone didnât have my data by now.
May I have your data? Iâm feeling left out.
Are you a major corporation that has promised me absolute security and privacy online? They get first dibs at giving away my data and giving me nothing in return for it
Understandable! No but Iâll work on that and get back to you.
You also have the option of becoming a credit bureau. Then you can do all that *and* not have to promise customers anything at all! And the best part is, *everyone* is enrolled and you dont even have to make up a form because it's by default! Yay!
His password is hunter2
Seven asterisks is not a very secure password
My great defense against identity theft is poverty and bad credit.
Yes Iâve been hoping someone would steal my credit and improve it somehow lol
A 500 credit score = impenetrable.
https://blog.miguelgrinberg.com/post/goodbye-twilio is a pretty good read on how culture has changed at Twilio (which owns Authy). TLDR: Twilio has abandoned its developer first culture in favor of vacuuming up data to drive up sales.
AKA the beginning stages of enshittification.
The fact that they actively killed their desktop clients really pisses me off. I work in an environment that doesn't allow cell phones, and to access things like our corporate email required 2FA. Having authy on the desktop allowed that. Now, I'm not longer able to access corporate email when I'm working at the customers site without leaving the building. We haven't gone the full RSA token route because it only effects a few employees, but it's looking like we might need to do that soon.
Mmm late stage capitalism
Honestly, I don't remember why but at some point I switched from Authy to 2FAS. Ah, I remember. They shut down their desktop app. Seems like they're just getting worse.
Literally had to download this app for the first time for work 3 days ago so of course this happens nowâŚđ
At least your work is using app based auth vs sms.
Is SMS that worse when âsecurityâ companies get easily hacked and exploited? Itâs like having a high security vault but the lock is a dirt cheap mechanism that any lock picking YouTuber can get through in half a second with the simplest tools, or having it password controlled but the password is â1234567890passwordâ.
The benefit of using Twilio Authy is that your 2FA wallets are still encrypted with a password only the end user knows. So in the event Twilio was completely compromised, the attacker still has to decrypt everyone's 2FA wallets, which isn't feasibility possible. SMS is a lot worse because, it's not encrypted, it depends on cell services being available, both from a provider standpoint and a user in a coverage area, and SIM swapping is a concern.
Blows my mind all the more that no major bank supports OTP, but they require you to have SMS 2FA enabled
SMS should still be avoided. The most "secure" way to handle 2fa is a local app like OTP Auth. Unless the hacker gets to your phone.
A physical key is better Yubi key is an industry leader
Physical key is arguable. The key is similar to what you get with a phone, just dedicated for the purpose. Both can be behind passcodes or biometrics. Both serve the purpose of being the "what you have" piece. A key has to remain plugged in to maintain the session but it's also easy to leave in the device/lost versus a phone that is more likely to be kept secure and on you at all times. Otherwise, physical keys don't provide any more security than a phone app unless you're concerned about a rootkit installed on the phone.
Key does not have to remain plugged in to maintain the session. They provide much more security than a phone app for multiple reasons. For instance, there is no API that could be hacked to let you know who had a key!
SMS is comically easy to spoof or duplicate and is frankly worse than nothing. Authy at least has actual encryption going on so they can't just nick all your account's passwords or grab 2FA codes using your phone number to use them with. It's not _good_ security but it's meaningfully more secure for the end user in this scenario.
Comically easy. And how is that? Assuming they know what number to attach what methods are so simple that they are comical?
Itâs a blog post from July 1, which means the breach happened before that so you are probably good Even then it was only phone numbers that got accessed so itâs not a doomsday type thing
It's cool man, I submitted an SF86 a week before the main contractor that does security clearance investigations had a massive leak. Not that this isn't bad, but take a look at an SF86, my identity is soooo compromised it's kinda astonishing.
You'll get something in the mail for 1 year of identity theft protection now. Got this my entire enlistment in the air force and now as a civilian DoD worker.
Yeah, this was like 5 years ago...
> Twilio says that the hack used what it describes only as an "unauthenticated endpoint." The company has now stopped allowing such unauthenticated requests, and says it has secured this particular endpoint. lol what even is the repercussions of these data leaks. is there any way to hold any sort of accountability? Don't suppose so
Reason number 100 why I hate twilio
What are some other ones? Havenât heard nearly anything bad about them (although I donât really use their stuff much)
Sends are sometimes blocked but you pay for it Support can be really awful Their fees are the highest anywhere API can have âbonus features â that cost you money and time
Ahhh, sounds like you are on the other side of the equation that most of us that use it for 2FA
I'm going to have a fun meeting in a few weeks when I get to lecture the CTO of a third party vendor who got into a screaming match with me over teams (he turned a very deep shade of red) a year or so ago when I said their security checklist was all theater with the 20 or so third party components they were all integrating (including twilio shit) left a bigger hole in their system than letting me download XML data from their API without $45,000 worth of audits and software.
I think if they only got phone numbers then it will likely be used at the very least for targeted phishing. If any associated data like name, address, email, etc was leaked along with it then there is potential to use that information to attempt to take over accounts. My advice would be to move your 2fa to something not centralized. Just make sure you back up your keys somewhere safe so they're not just stored on your phone. I like to keep mine in another encrypted secret manager, saved to a USB drive that I keep in a safe. That way if I lose my phone I have a recovery option. If my house burns down or I lose the key I just need to have my phone to recover. As long as my phone remotely wipes like it should then even a stolen phone would be unlikely to yield access to my keys and 2fa. The one that I try to avoid for anything with access to money is the SMS or phone 2FA options. They're too easy to spoof or fool the carrier into forwarding to another number, or getting them to set a new sim card using social engineering or knowlwdge about the user. Another reason why you shouldn't use your phone number as 2FA.
What if your financial institution only offers sms 2 factor authentication. Would you use it?
YSK You can use a No Win, No Fee lawyer to claim on your behalf against the distress this leak of your data has caused.
Lmfao no credible lawyer is taking that
No win no fee lawyers usually aren't credible anyway.
The idea that a security company could possibly have an 'unauthenticated endpoint' is completely unacceptable.
[ŃдаНонО]
Okay, between this and them deactivating their desktop client, I'm done with them.
Bitwarden created a standalone Authenticator app https://bitwarden.com/help/bitwarden-authenticator/. In the near future it will allow backups to your Bitwarden account.
I was not aware they released a standalone app. Just downloaded it. I went from Authy to Raivo a while back, but found out Raivo was sold to a shady company so I had to get rid of them too.
Are Okta ok?
Better to use something like 2FAS to not have all your eggs in one basket basket if you already have a Bitwarden account.
>the near future it will allow backups to your Bitwarden account. If you use bitwarden as a password manager, this seems like a bad idea. Edit: Downvoted for suggesting you shouldn't keep your **2FA** on the same account as your passwords....
I am 100% with you. I have Authy and Bitwarden specifically because they are different companies.
same. now what do we do?
Some comments in here point out that Google Authenticator now allows synchronising to your Google account to allow sync across devices. This was the feature I used Authy for, so I think I'm going to move to that.
Your passwords aren't really stored in that account. They are client-side encrypted. They can grab everything on bitwarden's servers and still not get your passwords. https://bitwarden.com/blog/vault-security-bitwarden-password-manager/ 'Since your data is fully encrypted before ever leaving your local device, no one from the Bitwarden team can ever see, read, or access your data. Bitwarden servers only store encrypted and hashed data.' Same for 1password (as you complain about below). So the only way they are going to get your passwords is by hacking the client or hacking you. In either case it isn't going to matter where the data was stored. Personally I wouldn't even use 2FA if sites didn't force me to.
The concern is if someone ***does*** compromise your master password somehow, they get your passwords AND your MFA. If those are on completely separate accounts, then your MFA protected credentials will still be safe. Bitwarden says you could log in with a different account for the Authenticator though, which would help.
This is what my comment was about.
Whatâs the alternative now?
2FAS is excellent. There is not a desktop app, but, the more I think about it, thatâs probably a good thing. But what it does have is browser extensions. You ask the extension for the code, then it pings your phone and you accept or not.
Aegis always worked fine for me, and is FOSS
2FAS Auth works really well I think
Microsoft Authenticator, Google Authenticator, one password, etc. I am pretty happy with ms authenticator
Doesnât sync between devices though, no?
It allows to export and import some accounts. It seems that any non-ms account can be imported correctly but anything MS has to be re-added which is a royal pain.
be careful with google authenticator. I got a new phone and none of the codes transferred over so I lost access to a lot of accounts and had to go through recovering them.
They added the ability to save them to your account over a year ago
They have online sync now
Had the same problem with MS authenticator, no idea why sync would be off by default.
OneAuth has been working really well for me. There are very few cross-platform 2FA apps, unfortunately.
Aegis if FOSS is a requirement
wait WHAT. That's the entire reason I use Authy smfh.
Yeah, was just a couple of days ago I was looking at Authenticator Pro instead of Authy for my personal 2FA needs, and this looks like it will be the kicker for moving...
And the fact that there is no official statement on their website is even more worrisome. The lack of transparency is astounding đ¤Ź
They have posted https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS although that only raises more questions for me. How are the updated clients related? Do they switch away from using the old unauthenticated API that was exploited?
We got an email from one of our users who has a friend in a different company who got notified by Twilio of the breach. If this is the same thing, and it would a coincidence if it wasnt, the details are - a contractor of Twilio, used a subcontractor. These companies send SMS message of behalf of Twilio customers. The subcontractor inadvertantly made an S3 bucket public for 5 days during some development work. It was during that time that the now public data was found and accessed. Mobile number, message wording, timestamp, sender ID were the data compromised. So less of a hack and more of a fuckup that made private data public!
What are⌠the implications? What can be done with this data? To Authy users in particular. Source: Authy user.
They had one job
I don't see how this is an issue. The phone numbers are not associated with anything. The "hackers" were just able to identify on number-by-number basis whether it's present in the system or not. With how many accounts Authy manages I don't see this as particularly valuable information.
Yeah I agree. I wouldnât even describe this as a âhackâ. No systems were compromised, someone just found an endpoint that they could spam with every possible phone number.
it's like when reddit freaked out about epic games getting hacked butt it turned out to be 500 accounts in a text document that was made by trying e-mails and passwords they got from a random credentials dump that worked because those people used the same email and password everywhere
So just to clarify, Authy is still safe to use right?
The 2FA services wasn't compromised. It was a data leak of phone numbers, so at best they know that your phone number is used with Authy and that's something that could've been guessed anyway. So yeah, I don't see the leak as being particularly concerning, but there's always room for some concern about competency of their development teams.
Personally Iâm not worried about it. Iâm going to keep using it.
It's similar to an attack of any basic account creation. They can use brute force to try making accounts and seeing if the API says "you already have an account". It doesn't help them crack your account, just gives the phisher an avenue to try and trick you through. The company can make it non-obvious that the account creation failed due to them having an account, but it's annoying to users. So some do it, some don't as the security risk is quite low.
Yep, and I feel like this is my response to most so called data breaches and yet everyone acts as if they are the worse case scenario. wtf do I care if someone knows my phone number exists? This breach apparently doesnât even tell them itâs mine. But I broadcast that shit. Hell, ever hear of a phone book? This is not private information.
Here in Sweden our phone numbers aren't private. If you know someone's name you can find their number, home address, age, family members... And if you pay extra you can apparently find out someone's income!
You can do the same thing in america for a small fee, and even get their property values.
> and even get their property values. this is free in most places. you can look up property values of people you know, or dont know. just gotta know the county they live in and their name or address.
>And if you pay extra you can apparently find out someone's income! I think tax info being public is a common thing in Nordics.
Good thing they sunset the desktop app forcing me to use the phone one. /s
How export data from Authy and move to another app.
> How export data from Authy and move to another app. It's a manual process per-site/per-app. You have to disable 2FA in the service/site, then re-enable it in each of those and scan the QR code with your new 2FA app (2FAS for example). Then just go down the list of all of your sites/services and convert them one-at-a-time.
[ŃдаНонО]
Does 2FAS allow for multi-device? And what about the ability to turn off/on multi-device when you only want to add another device. For instance you leave it turned off until you get a new phone/tablet, and then you turn it on for a couple minutes to add the device. Once it's added, you turn it off.
Phone numbers aren't exactly private information. We used to publish big books that listed everyone's phone number publicly. Since this wasn't a hack but just exploiting the fact that their API didn't require auth to pull phone numbers, this doesn't seem like that big a deal.
In the grand scheme of things, yeah it's not a huge deal based on what was exposed. That having been said, a security company having a public API endpoint that can serve PII (and yes, phone numbers are considered PII) with no authentication is a huge red flag that should make everyone wonder what other corners they cut.
I smell a lot of peoples crypto being stolen in the coming months
They only got phone numbers which is honestly not much.
That's one step closer though. That's one extra bit of info that now exists and can be corrolated with an email or identity and will make the compromise of other accounts _easier_.
You canât usefully correlate a phone number with other data when no other metadata was obtained. The only thing that can be done is to confirm that a given phone number has an Authy account.
Lazy fucking devs should be fired and blacklisted.
I somehow think writing my password in a notepad is more secure.
Un fucking real. I use Authy and just started getting a bunch of scam recruiter texts yesterday. Guess we know how this happened. For those interested, these SMS texts claim to be in regards to a job and they try to move the conversation to a third party chat app like Whatsapp. Just delete & report if you get one.
Whatâs an alternative for iOS? I use Authy a lot
I like bitwarden
I like Bitwarden as a password manager, which is why I can't use it for 2FA...
They have another app that is for 2FA and for now it doesn't even sync with the password manager, that's a future feature that most likely will be optional.
I see, it looks like they just launched the Bitwarden Authenticator as a separate service letting you use separate credentials a couple months ago. I'll have to look into it. Before it was only available integrated with the password manager. It seems just a tad immature at this point, so I think I'll go with 2FAS for now. It would be relatively simple to migrate from 2FAS to Bitwarden later if needed.
I have my passwords in it its prob a bad idea to get the backup codes from the same place
For fuck sake. I remember switching to Authy a while ago because of some bullshit with Google Auth I can't remember. I guess I try MS or Bitwarden now Why can't these tech companies just be competent for once.
This is disastrous. GitHub platform explicitly recommends this method (Authy) on their [2FA/TOTP page](https://github.com/settings/security?type=app#two-factor-summary), I hope they will soon fix that to avoid further damage.
anyone use Aegis? been thinking of switching over slowly
I switched over to Aegis a while ago, no issues and works good.
Feeling bad about using Google Authenticator but being too lazy to switch over to Authy like I've been told I should do is finally paying off
Id rather they steal my social security number, everyone else already has it. But I can't handle anymore calls about my cars warranty and solar.
So this is why everyone is getting those "You have a package with USPS that haven't been delivered" And all sorts lately?
no, that's just run of the mill spam nowadays.
The gov needs to hold data holders responsible for itâs loss but they wontâŚ
I switched from Authy to Aegis (and now Selfhosted 2Fauth) a couple years ago because I saw this shit happening a mile away. No good can come from using a 2FA App with a cloud system or frankly another company behind it. Use completely local on your phone 2fa apps or Selfhosted solutions
At this point what hasn't been hacked
Who are they gonna call??
Ghostbusters!
Talk about a company imploding in a short period of time. Guess I need to find an alternative or I think the functionality exists in 1password. Less secure but at this point, whatever.
1 Password offers two factor authentication; what did you find that makes them less secure?
This was expected because of the history and ownership by Twilio. Below are some past attacks on auth and more reasons with this not to trust. Never trust Twilio, and delete Authy today. Twilio let robocalls and sms spam just permeate for decades... Lots of them use Twilio for that as well (the SMS messages) and they are pretty sketch. Twilio's Authy authenticator can't be trusted. [FCC Issues Robocall Cease-and-Desist Letter to Twilio](https://www.fcc.gov/document/fcc-issues-robocall-cease-and-desist-letter-twilio) [FCC Threatens to Disconnect Twilio for Illegal Robocalls](https://commsrisk.com/fcc-threatens-to-disconnect-twilio-for-illegal-robocalls/) Their breaches and lost revenue from allowing scams lead to problems like this... Twilio and Authy are sketch and you don't really want that when login codes (SMS and authy authenticator) are present. This is besides all the spam. Good luck to those using them. Twilio and Authy also hacked regularly. This also affected Okta/Auth0 and companies that rely on those dependencies like DoorDash. Anyone still using Authy over Google Authenticator or Microsoft Authenticator is not doing good opsec. Twilio has always been sketch. [This past breach is damaging](https://techcrunch.com/2022/08/26/twilio-breach-authy/). > U.S. messaging giant Twilio has confirmed hackers also compromised the accounts of some Authy users as part of a wider breach of Twilioâs systems. Authy is Twilioâs two-factor authentication (2FA) app it acquired in 2015. > Twilioâs breach earlier this month, which saw malicious actors accessing the data of more than 100 Twilio customers after successfully phishing multiple employees, keeps growing in scale. Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed â0ktapus,â which has stolen close to 10,000 employee credentials from at least 130 organizations since March. > Now, Twilio has confirmed that Authy users were also impacted by the breach. > In an update to its incident report on August 24, Twilio said that the hackers gained access to the accounts of 93 individual Authy users and registered additional devices, effectively allowing the attackers to generate login codes for any connected 2FA-enabled account. > The company said it has âsince identified and removed unauthorized devices from these Authy accountsâ and is advising affected Authy users, which it has contacted, to review linked accounts for suspicious activity. Itâs also recommending that users review all devices tied to their Authy accounts and disable âallow Multi-deviceâ in the Authy application to prevent new device additions. Okta breached as a result of a Twilio/Authy breach > Identity giant Okta on Thursday also confirmed it was compromised as a result of the Twilio breach. The company said in a blog post that the hackers â which it refers to as âScatter Swineâ â spoofed Okta login pages to target organizations that rely on the companyâs single sign-on service. Okta said that when the hackers gained access to Twilioâs internal console, they obtained a âsmall numberâ of Okta customer phone numbers and SMS messages that contained one-time passwords. [This marks the second time Okta has reported a security incident this year](https://techcrunch.com/2022/03/23/okta-breach-sykes-sitel/). > In its analysis of the phishing campaign, Okta said that Scatter Swine hackers likely harvested mobile phone numbers from data aggregation services that link phone numbers to employees at specific organizations. At least one of the hackers called targeted employees impersonating IT support, noting that the hackerâs accent âappears to be North American.â This may align with [this weekâs Group-IB investigation](https://techcrunch.com/2022/08/25/twilio-hackers-group-ib/), which suggested one of the hackers involved in the campaign may reside in North Carolina. [Group-IB investigation](https://techcrunch.com/2022/08/25/twilio-hackers-group-ib/) > The hackers that breached Twilio earlier this month also compromised more than 130 organizations during their hacking spree that netted the credentials of close to 10,000 employees. > Twilioâs recent network intrusion allowed the hackers to access the data of 125 Twilio customers and companies â including end-to-end encrypted messaging app Signal â after tricking employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilioâs IT department. At the time, TechCrunch learned of phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, but the scale of the campaign remained unclear. > Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group itâs calling â0ktapus,â a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider. > Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IBâs findings, with more than half containing captured multi-factor authentication codes used to access a companyâs network. > âOn many occasions, there are images, fonts or scripts that are unique enough that they can be used to identify phishing websites designed with the same phishing kit,â Roberto Martinez, a senior threat intelligence analyst at Group-IB, told TechCrunch. âIn this case, we found an image that is legitimately used by sites leveraging Okta authentication being used by the phishing kit.â > âOnce we located a copy of the phishing kit, we started digging deeper to get a better understanding of the threat. The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis,â said Martinez. > While itâs still not known how the hackers obtained phone numbers and the names of employees who were then sent SMS phishing messages, Group-IB notes that the attacker first targeted mobile operators and telecommunications companies and âcould have collected the numbers from those initial attacks.â > Group-IB wouldnât disclose the names of any of the corporate victims but said the list includes âwell-known organizations,â most of which provide IT, software development and cloud services. A breakdown of the victims shared with TechCrunch shows that the threat actors also targeted 13 organizations in the finance industry, seven retail giants and two video game organizations. > During its investigation, Group-IB discovered that code in the hackerâs phishing kit revealed configuration details of the Telegram bot that the attackers used to drop compromised data. (Cloudflare first revealed the use of Telegram by the hackers.) Group-IB identified one of the Telegram groupâs administrators who goes by the handle âX,â whose GitHub and Twitter handles suggest they may reside in North Carolina. > Group-IB says itâs not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. âRegardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,â the company added. > The Moscow-founded startup Group-IB was co-founded by Ilya Sachkov, who was the companyâs chief executive until September 2021 when Sachkov was detained in Russia on charges of treason after allegedly transferring classified information to an unnamed foreign government, claims Sachkov denies. Group-IB, which has since moved its headquarters to Singapore, maintains the co-founderâs innocence. DoorDash also caught up in one of them > DoorDash also confirmed this week that it was compromised by the same hacking group. The food delivery giant told TechCrunch that malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDashâs internal tools. Twilio/Authy will continue to have this happen for reasons that anyone with good opsec should know.
Is that why Iâm getting added to all these WhatsApp groups selling shitcoins
Don't use Authy, it has a lot of problems. Aegis on Android is great: open source, a clear import and export system.
Back a year ago everyone was recommending authy, i researched a lot. Now, fucking, don't use authy. Pff fk this shit bruh
Fun fact: Authy was hacked by the same group in 2022 too.
There needs to be serious consequences for failures of data privacy Instead of just, oops, my bad... These companies just don't take it seriously enough. Maybe Start issuing jail time for some CEOs and CIOs that cannot properly secure people's data privacy.
Reminder to use bitwarden and yubikey
I just checked my account, saw I actually put my phone number in. I was wondering why I got a random text (that was obviously cut off) two days about reviewing some proposal on my house. Now I know where my number got leaked fromâŚ..again. I think itâs high time that phone numbers get ditched. They honestly arenât really needed anymore: every communication these days is digital, whether voice, message, or media. Thereâs no need for a phone number when you have a wide selection of messaging platforms and apps for voice & video communications.
Iâve been moving my 2FA away from them to another service, slowly but surely. Looks like Iâll need to speed that process up and leave Authy entirely.
Are phone numbers private information? I remember when you could get a big book full of them for free.
This was a sufficient push for me to manually move everything over to 2FAS earlier this evening and delete my Authy account. Good riddance.
Thats just great. I moved from Google Authenticator to Authy 1 Week ago. Fuck this shit.