Twilio的Authy应用程序遭遇泄露，数百万电话号码暴露

Cloud communications provider Twilio has revealed that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' cell phone numbers.

云通信提供商Twilio透露，未经身份验证的威胁行为者利用Authy中的未经身份验证的端点识别与Authy帐户相关的数据，包括用户的手机号码。

The company said it took steps to secure the endpoint to no longer accept unauthenticated requests.

该公司表示已采取措施，确保该端点不再接受未经身份验证的请求。

The development comes days after an online persona named ShinyHunters published on BreachForums a database comprising 33 million phone numbers allegedly pulled from Authy accounts.

就在几天前，一个名为ShinyHunters的在线角色在BreachForums上发布了一个数据库，其中包括从Authy帐户中提取的3300万个电话号码。

Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.

自2015年以来由Twilio拥有的Authy是一款流行的两步验证（2FA）应用程序，可为帐户安全增加额外的层次。

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," it said in a July 1, 2024, security alert.

"我们没有看到威胁行为者获取对Twilio系统或其他敏感数据的访问的证据，"它在2024年7月1日的安全警报中说。

But out of an abundance of caution, it's recommending that users upgrade their Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps to the latest version.

但出于谨慎起见，建议用户将其Android（25.1.0版本或更高版本）和iOS（26.1.0版本或更高版本）应用程序升级到最新版本。

It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks.

它还警告称，威胁行为者可能会尝试使用与Authy帐户关联的电话号码进行钓鱼和smishing攻击。

"We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.

"我们鼓励所有Authy用户保持警惕，并对他们收到的短信提高警觉，"它指出。

---

参考资料

[1]https://thehackernews.com/2024/07/twilios-authy-app-breach-exposes.html

---

原文始发于微信公众号（知机安全）：Twilio的Authy应用程序遭遇泄露，数百万电话号码暴露