The most recent security vulnerability impacted at least 93 customers of the two-factor authentication software offered by the corporation.
Authy customers, who depend on the multi-factor authentication (MFA) software to create one-time passcodes, may have had their security compromised as a result of a recent data breach, according to an announcement made by Twilio.
On August 7, the firm said (Opens in a new window) that a successful phishing attempt against its workers allowed a hacker access to internal systems, which the hacker then exploited to “access sensitive client data.” On August 10th, Twilio said that, to the best of its knowledge, 125 of its clients had been compromised by the security incident. This number has now increased to 163, and it does not even take into account the users of Authy whose accounts were hacked.
According to Twilio’s statement, the company’s research “has found that the malicious actors got access to the accounts of 93 individual Authy users out of a total of around 75 million users” and registered additional devices to those individuals’ accounts. In addition to this, it states that it has “since detected and deleted illegitimate devices from these Authy accounts” and has contacted individuals who were impacted by this issue.
The business has recommended those customers to verify all of the devices that are connected to their Authy account, disable the “Allow Multi-device” feature inside the app, and evaluate their accounts that are linked to Authy for any unusual behaviour. The first two suggestions are aimed to assist mitigate the effects of this compromise, while the third proposal is designed to lower the likelihood of such occurrences in the future.
In a support post (Opens in a new window), Twilio mentions that “Allow Multi-device” is set by default for Authy users so that they may continue to have access to their MFA tokens even if their device is lost, stolen, or otherwise unavailable. In a comparison(Opens in a new window) to Google Authenticator, the business also stresses the ability to make these backups (or just access tokens on numerous devices without repeating a setup process) on multiple devices without having to repeat the setup procedure.
Published at : 10 Aug 2022 10:52 AM (IST)