The cryptocurrency community faces a significant security wake-up call after Twilio confirmed that its popular two-factor authentication app, Authy, suffered a data breach exposing the phone numbers of approximately 33 million users. The breach, publicly disclosed on July 1, 2024, and widely reported on July 5, was claimed by the notorious hacking group ShinyHunters, who posted the stolen data on BreachForums. With Bitcoin trading at $56,662 and Ethereum at $2,981, the timing of this breach adds another layer of anxiety to an already volatile market rattled by Mt. Gox repayment distributions.
The Exploit Mechanics
Twilio revealed that the attackers exploited an unauthenticated endpoint in the Authy infrastructure. In simple terms, this means there was a vulnerability in the API that allowed anyone to query user data without providing credentials. ShinyHunters leveraged this oversight to systematically harvest phone numbers and account IDs associated with Authy accounts. Twilio stated that the compromised data included phone numbers and Authy account IDs, but stressed that no passwords, two-factor authentication seeds, or other sensitive account details were accessed. The company has since secured the endpoint and no longer allows unauthenticated requests.
Affected Systems
Authy is one of the most widely used authenticator applications in the cryptocurrency ecosystem. Binance, Gemini, and Crypto.com have all at various points recommended or endorsed Authy as a preferred 2FA solution for their platforms. The breach therefore directly impacts a substantial portion of the crypto-using population. With over 33 million phone numbers exposed, the scope is enormous. The exposed data does not directly grant access to crypto wallets or exchange accounts, but it provides attackers with a powerful tool for targeted social engineering campaigns. Phone numbers tied to known crypto users are particularly valuable to attackers because they can be used for SIM-swap attacks, smishing campaigns, and targeted phishing attempts that impersonate crypto exchanges or wallet providers.
The Mitigation Strategy
Twilio has released emergency updates for the Authy app across both major platforms. Users on Android should update to version 25.1.0 or later, while iOS users need version 26.1.0 or later. These updates include patches for the exploited vulnerability and additional security hardening. Beyond simply updating the app, security researchers recommend several additional steps. Tim Jenkins, Head of Cyber Defense Research at SentryBay, emphasized that while the breach may seem limited, the exposed phone numbers enable highly convincing phishing attacks. He noted that threat actors can now impersonate Authy and Twilio directly to users, making phishing attempts far more credible and dangerous.
Lessons Learned
This breach underscores a fundamental truth in cybersecurity: the security of your assets is only as strong as the weakest link in your authentication chain. Authy, as a centralized 2FA provider, became a single point of failure for millions of users. The incident highlights the risks inherent in relying on cloud-connected authentication services that store user metadata on external servers. For cryptocurrency users specifically, this is a stark reminder that even security tools themselves can become attack vectors. The breach also demonstrates that unauthenticated API endpoints remain a persistent and dangerous class of vulnerability in modern web services.
User Action Required
All Authy users should immediately update the app to the latest version. Beyond that, crypto holders should consider migrating to alternative 2FA solutions that do not rely on cloud-connected phone number databases. Hardware security keys, such as YubiKey, offer a significantly more secure alternative by requiring physical possession of the device for authentication. Users should also be hyper-vigilant about any unsolicited calls or text messages claiming to be from Authy, Twilio, or any cryptocurrency exchange. As the crypto market navigates the turbulence of Mt. Gox repayments and broader selling pressure, security vigilance has never been more important.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions regarding your cryptocurrency holdings.
33 million phone numbers from a 2fa app is beyond ironic. the thing supposed to protect you becomes the attack vector
shinyhunters posting on breachforums with 33M records and twilio could only say ‘no seeds were compromised’. phone numbers alone enable SIM swaps. thats the real damage
ShinyHunters exploiting an unauthenticated endpoint in 2024 is embarrassing for Twilio. This is security 101 stuff.
twilio also had that employee phishing attack in 2022. at what point do we stop trusting them with auth infrastructure
unauthenticated endpoint in 2024. this isnt some startup, its twilio. they have the budget and the talent to do better
an unauthenticated endpoint in their auth infrastructure in 2024. twilio charges enterprise prices for authy and cant do basic API security
switched to hardware keys after this breach. phone-based 2FA is fundamentally broken when the phone number itself is the leak
switched to yubikey after this. SMS 2FA is broken, phone-based apps are broken. hardware keys are the only thing left that actually work