If you use cryptocurrency, you have probably heard about two-factor authentication, or 2FA. It is that extra step when you log into an exchange like Binance or Coinbase, where you need to enter a code from an app on your phone. One of the most popular 2FA apps is called Authy, owned by a company called Twilio. On July 5, 2024, news broke that hackers had stolen the phone numbers of roughly 33 million Authy users. If you are new to cryptocurrency, this might sound scary, and it should. But understanding what happened and what to do about it is the best way to protect yourself.
The Basics
Let us start with what actually happened. A hacking group called ShinyHunters found a weakness in Authy’s systems. Specifically, they exploited what security professionals call an unauthenticated endpoint, which is essentially a door that should have been locked but was not. Through this door, the hackers were able to collect the phone numbers associated with 33 million Authy accounts. Twilio, the company that owns Authy, confirmed the breach and said that no passwords, authentication codes, or other sensitive data were stolen. Just phone numbers. But in the world of cryptocurrency, even a phone number in the wrong hands can be dangerous.
Why It Matters
Your phone number is more valuable to a hacker than you might think. With your phone number, an attacker can attempt what is called a SIM-swap attack. This is where they trick your mobile carrier into transferring your phone number to a SIM card they control. Once they have your number, they can receive your SMS messages and phone calls, which means they can bypass SMS-based two-factor authentication on your email, your bank, and your crypto exchange accounts. Beyond SIM-swapping, hackers can use your phone number to send you convincing text messages that look like they are from Binance, Coinbase, or even Authy itself. These messages might ask you to click a link and enter your password on a fake website. This is called smishing, and it is one of the most common ways crypto users lose their funds.
Getting Started Guide
Here is what you should do right now to protect yourself. Step one: Update your Authy app immediately. Twilio has released patched versions for both Android (version 25.1.0 or later) and iOS (version 26.1.0 or later). Step two: Enable additional security on your Authy account, such as a master password or biometric lock. Step three: Check whether your crypto exchange supports hardware security keys like YubiKey. If it does, set one up. Hardware keys are far more secure than any app-based 2FA because they require physical possession of the device. Step four: If you are storing significant value in cryptocurrency, invest in a hardware wallet like a Ledger or Trezor. These devices keep your private keys offline, making them immune to online attacks. Step five: Use a password manager to generate and store unique, strong passwords for every service. Never reuse passwords across different exchanges or services.
Common Pitfalls
New crypto users often make several mistakes when it comes to security. The biggest one is relying solely on SMS-based 2FA. SMS is the weakest form of two-factor authentication because it is vulnerable to SIM-swapping. If your exchange offers app-based 2FA or hardware key support, always choose those over SMS. Another common mistake is using the same password across multiple services. If one service gets breached, attackers will try that password on every other service where you have an account. A related mistake is ignoring software updates. When Authy releases a security patch, installing it promptly is one of the simplest and most effective things you can do to stay safe. Finally, never share your seed phrase, the recovery words that come with your crypto wallet, with anyone. No legitimate service will ever ask for it.
Next Steps
Once you have updated your Authy app and reviewed your security settings, take some time to audit your entire crypto security setup. Check which exchanges you use and what authentication methods each one supports. Consider consolidating your holdings onto fewer, more secure platforms. Look into hardware wallets if you do not already use one. And most importantly, develop a habit of skepticism toward any unexpected message, email, or call related to your cryptocurrency accounts. The Authy breach is a reminder that security is an ongoing process, not a one-time setup. By taking these steps now, you can significantly reduce your risk and continue participating in the crypto ecosystem with greater confidence.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions regarding your cryptocurrency holdings.
the scary part about 33 million leaked phone numbers is sim swap attacks. if someone has your number and knows you have crypto, thats all they need to social engineer your carrier
exactly why i ported my number to google fi. they have better sim swap protections than most carriers
google fi is better than most carriers for sim swap but its not foolproof. hardware keys are the only real 2fa for crypto. yubikey or nothing
hardware keys are great until you lose one and have no backup. happened to a friend and he lost access to his exchange for 3 weeks
33m phone numbers is basically a targeting list for sim swaps against crypto users. authy should have forced number changes after the breach but they just sent an email
This is the clearest explanation of 2FA risks I have read anywhere. The analogy about the unlocked door makes it click.
the unlocked door analogy is perfect. most people think 2FA is bulletproof without understanding the attack vectors around it