Twilio, the company that owns Authy, suffered a data breach – Ghacks
Twilio, the company which owns the popular 2-factor authentication service Authy, has revealed that it has suffered a data breach. An announcement published on its website states that some of its employees fell victim to a phishing attack.
According to the report, hackers sent some text messages to current and former employees of the company. The message which originated in the U.S., was spoofed as being sent from Twilio’s IT department, asked the users to update their passwords. A link, which accompanied the texts, directed the users to URLs controlled by hackers, who then stole the credentials to gain access to some of the company’s internal systems.
The concerning part is that the attackers were able to access certain customer data. Twilio is investigating the attack, and will notify customers who were affected by the data breach. The company has already revoked access to the compromised accounts. It says that it worked with US carriers to shut down the threats, and has taken down the accounts belonging to the attackers on hosting providers that were used for the breach.
The transparency related to the data breach might be appreciated by users, but the company has not clarified what customer data was accessed. Twilio owns several products and services, Authy is just one of those, and is probably the most popular one of the lot. The attack will no doubt raise some eyebrows about the safety of Authy.
There is no official word whether user data from Authy has been stolen. I have seen a few reports on social media where users are panicking. But, I think it is safe to say that Authy users shouldn’t be worried. Why is that?
1. Authy’s login system
2. End-to-end encryption
Authy does not have a traditional login system, i.e. a username and a password. Instead, the service uses your phone number as your login ID. Let’s say a hacker somehow knows your phone number, they can’t associate it with your account’s data. Since the TOTP service does not employ a password system, your credentials are not saved on the cloud, i.e. there is no password to be leaked. Authy uses a protection PIN (pass code) which serves as the encryption key to encrypt your data (2FA account tokens) on your device before it is uploaded to the cloud, this is known as end-to-end encryption. The only person who has access to this encryption key, is the user, without this key the data cannot be accessed by anyone, even Authy itself can’t get the TOTP codes. Similarly, when you download Authy on a new device, you need to input the pass code to decrypt the data, before using the app for 2FA codes.
This end-to-end encryption is essentially similar to how cloud-based password managers work, for example, Bitwarden. Even if a hacker has managed to breach Authy, your data should theoretically be safe because the contents are encrypted. That’s the whole point of encryption.
This is not an official explanation from the company, it’s just based on my understanding of how end-to-end encryption works. Of course, it all depends on the proper implementation of the encryption system.
Some of my friends rely on Authy across platforms (iOS, Android), but I moved away from Authy a few years ago, to Aegis because I prefer offline and open source apps. I used this guide for importing the tokens.
Do you use Authy?
Un-be-lie-va-ble. With the type of security services that Twilio provides, this should NEVER have happened. They need to up their act fast because this does NOT look good on them and their staff. They might loose a hefty number of customers over this major failure to protect their clients personal data.
It’s an embarrassment for sure, but I don’t think it’s a catastrophe. After all, as explained in the article Authy’s login system and encryption means your data is protected.
@ Ashwin,
Aegis looks like a good alternative, but my Android phone dates from 2016 and isn’t biometric. That means having to type in a password every time to authenticate 2FA and I positively detest using a phone’s keyboard. Doing anything on such a small screen is a pain in the posterior as far as I’m concerned and I don’t use Authy.
I was forced to consenting to Google’s use of 2FA, but beyond that I avoid it like the plague.
Customer data may be safe for now, but did the hackers get into Twilio networks? What if they are able to set up a MITM attack? Compromising a 2FA server would give them potentially endless access to services being accessed by customers.
TelV,
Android + 2016 = more than likely no security updates (for a while), so “Authy vs Aegist” should be the least of your concerns brotha.
Passwords:
Really poor concept, as they are easily stolen and easily phished.
Passwords with 2FA:
Still really poor concept, as they are still easily stolen and easily phished.
FIDO U2F:
Good concept (uses public/private key pair), not easily stolen or easily phished, but poor usability for the masses.
FIDO2:
Good concept (uses public/private key pair), not easily stolen or easily phished, but still poor usability for the masses.
FIDO multi-device credentials (passkeys):
Finally, we may get a secure and usable alternative to passwords for the masses. The sooner this is made available, the better. No matter haw many times I look into securing passwords, passwords have always been a poor concept, and always will be a poor concept.
What happens if your physical passkey is lost, stolen, or destroyed? How do you get a new passkey setup if you change, say phones, ISP, or cell provider?
The problem isn’t passwords, themselves, it that most people use some variant of the most common passwords, like using password or 12345, etc. rather than something more secure.
FIDO seems like just another excuse to collect telemetry, but with a unique identifier. Sure, they claim it is purposely designed to not be, but that is just not possible. It will be used as an identifier, and it will likely be abused. No thanks.
I have been using the same password for 15 years, never got hacked. My tip: Don’t use ‘qwerty’ as password.
Phone numbers should never be used for 2FA in the first place. Best option always is to generate tokens via key. Store that key in password manager and everything is fine. Data remains encrypted and hackers don’t have your phone number or even username and password.
I use Aegis as well(F-Droid). Offline, open source and keys(to generate tokens) are stored in Bitwarden.
Aegis is great, I agree.
Actually, if you happen to be interested in the service this might become a good time to sign up. When a breach like this happens, the involved company will undergo a massive internal and third party review of its security systems (from experience with a company that has suffered such a breach I can assure you their insurer will require this), and upgrade them accordingly.
Of course this assumes that despite Ashwin’s sense that customers should probably not be overly worried, the breach was not somehow serious enough to truly jeopardize Authy’s/Twilio’s whole business. Presumably more details about exactly what happened and what was affected will emerge shortly.
I moved to Authy from Goggle & Microsoft apps. The real benefit is the ability to have access to the token on multiple devices, including my Apple watch. This is a huge productivity boost so that I dont need my phone in hand every time. I do believe, as Ashwin explained, that the codes are secure. In addition, any access to a site would need to start with username and password before the 2FA is required. The Aegis app seems to be Android only, a single device.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.