Malicious actors have managed to steal more than 33 million phone numbers used by users of the two-factor authentication service Authy.

Authy is a popular security application to manage authentication codes for apps and online services. These add to the security of sign-ins, as the codes need to be entered in a second stage of authentication.

Here are the key points:

• A threat actor leaked a CSV text file containing 33 million phone numbers of Authy customers.
• The list was obtained through an improperly secured API endpoint.
• The attacker fed the API a large number of phone numbers to find out which were known to the Authy system.
• Attackers may use the phone numbers in SMS phishing or SIM swapping attacks.

Twilio, Authy's parent company, confirmed the authenticity of the data and the hack to Bleeping Computer.

The company revealed that it has secured the endpoint used in the attack. It furthermore released an update for Android and iOS as a precaution.

What affected users can do

Authy customers cannot look up if their phone number is included in the leak. There is no direct threat, as threat actors cannot do anything with the phone number alone.

Attacks are, however, possible:

• SMS attacks to get users to share authentication codes or download malware to their devices.
• SIM Swapping attacks, which require additional personal information. These involve the cellular provider of the victim.

The attackers could use online searches or other databases to link phone numbers to their owners.

The data in Authy is secure at this point. This is not the first incident, however. Back in 2022, Twilio confirmed that it suffered a data breach.

If this reminds you of LastPass, a password management service that suffered through a series of hacks and issues in the last couple of years, you are not totally mistaken.

Migrating from Authy to another service

Migration is not straightforward, as Authy does not support exporting. A workaround exists that uses an older version of the desktop app, but it may not work soon anymore as Authy is discontinuing the desktop program.

The only other option is to manually migrate the data. This involves the following steps:

• Sign-in to the service that codes are generated for in Authy.
• Turn off 2FA in the preferences.
• Enable 2FA again, this time using the new authenticator app.

Repeat the steps for any service and delete each of them once the migration completes. This is done by long-tapping on the item in Authy and selecting the remove option.

As far as alternatives are concerned, check out my reviews of the open source authenticator Aegis or Bitwarden Authenticator.

Closing Words

Should you trust a service that suffered through several breaches in the past, or should you move to a service that has not. LastPass customers have faced the same question several times in the past, and it is the same question that Authy customers should ask themselves.

Whether you are migrating or not is up to you. It is inconvenient, thanks to the lack of proper export options.

Do you use authenticator apps? If so, which is your preferred one at the moment?