Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Universal If you use the Authy app for 2FA codes, please read: You may be compromised.

Apple_Robert

Apple_Robert

Contributor
Original poster
Sep 21, 2012
35,645
52,430
In a van down by the river
“Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.

In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”

techcrunch.com

Twilio says hackers identified cell phone numbers of two-factor app Authy users | TechCrunch

Twilio says "threat actors were able to identify" phone numbers of people who use the two-factor app Authy.
techcrunch.com techcrunch.com

I encourage you to find a new Auth 2FA app or set up.
 
  • Like
Reactions: Iwavvns and NoBoMac
NoBoMac

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,282
4,968
Saw this as well. Explains why, for the last few days, been getting text phishing spam. Primarily fake loan application approvals. Usually see practically zero text spam.
 
Apple_Robert

Apple_Robert

Contributor
Original poster
Sep 21, 2012
35,645
52,430
In a van down by the river
NoBoMac said:
Saw this as well. Explains why, for the last few days, been getting text phishing spam. Primarily fake loan application approvals. Usually see practically zero text spam.
Click to expand...
Hopefully, none of our fellow members will fall prey to this fallout. I used to use OTP Auth, which has always been excellent but, I switched most of my coding to Keychain for that aspect, for security and longevity purposes. I keep the account restore codes in Strongbox, Keychain and other backup places.
 
jedimasterkyle

jedimasterkyle

macrumors 6502a
Sep 27, 2014
578
873
Idaho
I'm so glad I moved away from this app but not happy that my phone number was exposed...again.

Add it to the list of hacks that we've all been a part of 🤦‍♂️...
 
NoBoMac

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,282
4,968
Spent a good part of the day yesterday moving off Authy. All but one account due to that requires Authy.

”Good part of the day” as I went round and round with different options until I remembered I had a lifetime license for Enpass password manager that has 2FA functions, so using it solely for 2FA and keeping my current password manager in place.

Basically, so that all my security eggs are not in one basket, no remote servers containing PII, both sync via my cloud accounts, encryption on device, and can generate backups to recover should disaster happen.

Briefly thought about iCloud Keychain for this but did not like the idea of all tied to iCloud and it being stable (seen enough sync issues on this site to not trust it enough for something this important) and no user backups. And potential for incompatibilities down the road (older device on old OS that can’t handle potentially new/improved Keychain). Worked well enough, though a little rough around the edges when compared to dedicated apps.

2FAS app is an interesting option but needs some work: does not encrypt the sync file but that is supposedly coming in next(?) major release.
 
adrianlondon

adrianlondon

macrumors 603
Nov 28, 2013
5,534
8,359
Switzerland
On the assumption that your phone number has already been obtained, if it was, then why bother moving from Authy?

The hack has been done. There's nothing they can do with Authy itself with your number, so might as well stay with them if it's what you use.
 
  • Like
Reactions: agoodpub
NoBoMac

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,282
4,968
adrianlondon said:
why bother moving from Authy?
Click to expand...

Just because.

Maybe a false sense of control, but does put things more under my control vs trusting some other company to not mess things up. In this case, I can sync between devices through pretty much any cloud service vs rely on Authy's cloud.
 
  • Like
Reactions: adrianlondon
Iwavvns

Iwavvns

macrumors 6502a
Dec 11, 2023
687
968
Earth
adrianlondon said:
On the assumption that your phone number has already been obtained, if it was, then why bother moving from Authy?

The hack has been done. There's nothing they can do with Authy itself with your number, so might as well stay with them if it's what you use.
Click to expand...
For me there would always be a question of “what other weakness will another hacker find tomorrow?”
 
  • Like
Reactions: adrianlondon
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom