Authy is one of the most trusted 2FA apps, and it’s one of our recommendations among the pool of 2FA apps. Unfortunately, any service that relies on a server-based infrastructure can be hacked if the attacker is sophisticated enough, and that’s exactly what happened with Authy’s parent company, Twilio. In an elaborate social engineering attack, a bad actor gained access to employee accounts, in turn compromising the security of a handful of Twilio customers, including Authy and LastPass.
ANDROIDpolice video of the day
Read on to find out what happened and how you can better protect your own Authy account from such attacks.
How did this hack happen?
Twilio reports in a status update that it encountered the breach on August 4, 2022. Current and former employees received phishing text messages, almost perfect images, that claimed to be from Twilio’s IT department informing them that they needed to reset their passwords because they had expired. An included link then led to a fake login page that looked almost exactly like Twilio’s real deal. At least one person appears to have fallen for a phishing attack after hackers managed to gain access to Twilio’s internal systems with someone’s stolen credentials.
The company has since been working to find out which services and customers were compromised, and how to prevent future incidents. Among these customers was LastPass, parts of whose source code was stolen, but thankfully no user data was exposed. Twilio says it has also emphasized “security training to ensure employees are on high alert for social engineering attacks.”
How are Authy users affected?
While Authy has also been affected by the breach, it doesn’t seem that too many users have been affected. It appears that hackers used Twilio for a number of highly targeted attacks, as the security team found that only 93 out of 75 million Authy users were affected, with bad actors registering additional devices to accounts. These unauthorized devices have since been removed from the accounts, and all targeted users were contacted by the company.
How can you secure your Authy account?
Authy recommends a simple fix that prevents unauthorized devices from being added. If you use Authy, you should first set up the app on one or two backup devices like your laptop or tablet and then disable “Allow multi-devices” in the app. Device Settings on any of your devices.
This prevents anyone who doesn’t have your connected devices, including you, from connecting other devices. (That’s why it’s so important to have a backup device – otherwise if your phone is stolen or lost, regaining access will be a huge hassle, though it’s not impossible.) When you want to add new devices, you’ll want to go back again. Can – Enable “Allow multi-devices” at any time on any of your connected devices.
Does Authy Hack Mean 2FA Isn’t Secure?
Keep in mind that even if you are caught in the middle of this Authy hack, your online accounts will be safe as long as your password and the email address associated with your account are not in the hands of hackers. After all, this is what two-factor authentication is for: even when one of your login factors is compromised, a bad actor will still need the other factor to gain access. . If you are not a high-profile politician or an otherwise obvious target for hackers, it is highly unlikely that both of your factors will be hacked at the same time.
If you’re still concerned, AP alumnus Raine Hager noted in her goodbye post a week ago that the probably best thing you can do to stay safe online is to buy a YubiKey or a comparable hardware-based authenticator. A hacker would need physical access to the hardware keys to gain their protection. Just remember that you should invest in a backup key, as logging into your accounts can be a hassle if you lose your primary authenticator.
As Twilio is investigating the attack, it is possible that we will learn of further implications. We can only hope that the scope of Authy Hack remains as limited as it is at present.
