Twilio has announced that Authy users, who rely on the multi-factor authentication (MFA) app to generate one-time passcodes, were compromised during a recent data breach.
The company said(Opens in a new window) on Aug. 7 that a successful phishing campaign against its employees gave a hacker access to internal systems that were then used to “access certain customer data.” Twilio said on Aug. 10 that it believed 125 of its customers were affected by the breach. Now that number has risen to 163 customers—and that doesn’t include the compromised Authy users.
Twilio says that its “investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices to their accounts.” It also says that it has “since identified and removed unauthorized devices from these Authy accounts” and reached out to affected users.
The company has advised those users to review accounts linked to Authy for suspicious activity, checking on all of the devices connected to their Authy account, and disabling the “Allow Multi-device” setting within the app. The first two recommendations could help minimize the impact of this compromise; the last recommendation is meant to reduce the risk of future incidents.
Twilio notes in a support article(Opens in a new window) that “Allow Multi-device” is enabled by default so Authy users can maintain access to their MFA tokens if their device is lost, stolen, or otherwise unavailable. The company also highlights the ability to create these backups (or simply access tokens on multiple devices without repeating a setup process) in a comparison(Opens in a new window) to Google Authenticator.
The problem, as this breach demonstrated, is that syncing tokens across multiple devices puts Authy users at risk, and Twilio’s approach to disabling this feature is somewhat convoluted:
Recommended by Our Editors
Authy will automatically disable Multi-device when it detects that you have added an Authy app to more than one device. You will still be able to access your account from all existing installations, but you would need to manually enable multi-device to add another device. Once re-enabled, Authy remembers this choice, and won’t disable it again. We recommend users keep the multi-device feature to disabled when not wanting to add additional devices to their account as an extra security step.
This approach could backfire in multiple ways. Authy users who never set up the app on another device might not realize that “Allow Multi-device” is enabled by default, and users who re-enable the setting might not remember to disable it later, either. (These challenges probably explain why Google Authenticator makes setting up(Opens in a new window) multiple devices as cumbersome as it does.)
“Trust is paramount at Twilio, and we recognize that the security of our systems and network is an important part of earning and keeping our customers’ trust,” Twilio says. “As we continue our investigation, we are communicating with impacted customers to share information and assist in their own investigations. We will update this blog with more information as it becomes available.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
