Authy is one of the most trusted 2FA apps out there, and it’s one of our recommendations among a bunch of great 2FA apps. Unfortunately, any service that relies on a server-based infrastructure can be hacked if the attacker is sophisticated enough, and this is exactly what happened to Authy’s parent company, Twilio. In an elaborate social engineering attack, a criminal gained access to employee accounts, in turn compromising the security of Authy and a handful of Twilio clients, including LastPass.
Read on to find out what happened and how you can better protect your own Authy account from attacks like these.
How did this trick happen?
Twilio reports in a status update that it was breached on August 4, 2022. Current and former employees received seemingly perfect phishing text messages, claiming to be from Twilio’s IT department and informing them that they need to reset their passwords because they are expired. An embedded link then led to a fake login page that looked almost exactly like the real Twilio offering. It appears that at least one person fell for the phishing attack, as hackers managed to access Twilio’s internal systems with someone’s stolen credentials.
Since then, the company has been working to find out which services and customers were compromised and how to prevent future incidents. Among these customers was also LastPass, which had parts of its source code stolen, but fortunately, no user data was exposed. Twilio says it has also re-emphasized its “security training to ensure employees are on high alert for social engineering attacks.”
How are Authy users affected?
While Authy is also affected by the breach, it doesn’t appear that too many users are affected. It appears that hackers used Twilio for a series of highly targeted attacks, as the security team discovered that only 93 of Authy’s 75 million users were affected, with the bad guys registering additional devices to the accounts. These unauthorized devices have since been removed from the accounts, and the company has contacted all of the targeted users in question.
How can you protect your Authy account?
Authy recommends an easy fix that stops unauthorized devices from being added. If you use Authy, you must first set up the app on one or two backup devices, such as your laptop or tablet, and then disable “Allow cross-device” in the app. Devices settings on any of your devices.
This prevents anyone who is not in possession of your connected devices from adding more devices, including you. (That’s why it’s so important to have backup devices, otherwise it’ll be a huge hassle to regain access if your phone is lost or stolen, though it’s not impossible.) When you want to add new devices, you can re-enable “Allow multi-device” on any of your connected devices at any time.
Does Authy’s hack mean 2FA is not secure?
Keep in mind that even if you’re caught in the middle of this Authy hack, your online accounts should remain secure as long as your password and the email address associated with your account are not in the hands of hackers. After all, this is exactly what two-factor authentication is meant for: even when one of his login factors is compromised, a bad actor would still need the other factor to gain access. If he is not a high-profile politician or an obvious target for hackers, it is very unlikely that both factors will be hacked at the same time.
If you’re still worried, AP alum Ryne Hager mentioned in his farewell post a week ago that the best thing you can do to stay safe online is to buy a YubiKey or comparable hardware-based authenticator. A hacker would need physical access to the hardware keys to bypass your protection. Just remember to invest in a backup key, as getting into your accounts could be a hassle if you lose your primary authenticator.
As Twilio is investigating the attack, we may learn more implications. We can only hope that the Authy hack remains as limited in scope as it currently is.