Twilio announced that Authy users who relied on multi-factor authentication (MFA) applications to generate one-time passwords were compromised in a recent data breach.
company Say(opens in new window) On August 7, a successful phishing campaign against its employees allowed hackers to gain access to internal systems, which were then used to “access certain customer data.” Twilio said on Aug. 10 that it believes 125 customers were affected by the breach. Now that number has risen to 163 customers — and that’s not counting the compromised Authy users.
Twilio said its “investigation has determined that malicious actors gained access to 93 individual Authy users – out of approximately 75 million users – and registered additional devices on their accounts.” It also said it “has obtained access from Unauthorized devices were identified and removed from these Authy accounts,” and affected users were contacted.
The company has advised these users to check their Authy-linked accounts for suspicious activity, check all devices associated with their Authy accounts, and disable the “Allow multiple devices” setting in the app. The first two recommendations help minimize the impact of this compromise; the last one aims to reduce the risk of future accidents.
Twilio Notes Support article(opens in new window) “Allow multiple devices” is enabled by default, so Authy users can maintain access to their MFA tokens if their device is lost, stolen, or otherwise unavailable. The company also emphasized creating these backups (or simply accessing the token on multiple devices without repeating the setup process) Compare(opens in new window) to Google Authenticator.
The problem, as this breach demonstrates, is that syncing tokens across multiple devices puts Authy users at risk, and Twilio’s approach to disabling this is somewhat complicated:
Recommended by our editors
When Authy detects that you have added the Authy app to multiple devices, it will automatically disable multi-device. You can still access your account from all existing installations, but you will need to manually enable multi-device to add another device. After re-enabling, Authy remembers this choice and won’t disable it again. We recommend that users keep the multi-device feature disabled when they don’t want to add another device to their account as an extra security step.
This approach can backfire in a number of ways. Authy users who have never set up the app on another device may not realize “Allow multiple devices” is enabled by default, and users who re-enable the setting may not remember to disable it later. (These challenges may explain why Google Authenticator configure(opens in new window) Multiple devices are just as cumbersome. )
“Trust is critical at Twilio, and we recognize that the security of our systems and networks is an important part of earning and maintaining our customers’ trust,” Twilio said. “As we continue to investigate, we are communicating with affected customers to share information and assist with their own investigations. We will update this blog with more information as it becomes available.”
Like what are you reading?
register safety observation A newsletter of our top privacy and security stories delivered straight to your inbox.
This communication may contain advertisements, deals or affiliate links.By subscribing to the newsletter, you agree to our Terms of use and Privacy Policy. You can unsubscribe from the newsletter at any time.
