Authy is one of the most trusted 2FA apps out there, and it’s one of our recommendations among a pool of great 2FA apps. Unfortunately, any service that relies on a server-based infrastructure can be hacked if the attacker is just sophisticated enough, and this is exactly what happened to Authy’s parent company Twilio. In an elaborate social engineering attack, a bad actor gained access to employee’s accounts, in turn compromising the security of Authy and a handful of Twilio customers, including LastPass.
Read on to find out what happened and how you can better protect your own Authy account from attacks like these.
How did this hack happen?
Twilio reports in a status update that it suffered the breach back on August 4, 2022. Current and former employees received phishing text messages that looked almost picture perfect, claiming to be from Twilio’s IT department and informing them that they need to reset their passwords because they are expired. An included link then led to a fake login page that looked almost exactly like Twilio’s real deal. It looks like at least one person fell for the phishing attack, as hackers managed to gain access to Twilio’s internal systems with someone’s stolen credentials.
The company has since been working to find out which services and customers were compromised, and how to prevent future incidents. Among these customers was also LastPass, which had parts of its source code stolen, but thankfully, no user data was exposed. Twilio says it has additionally reemphasized its “security training to ensure employees are on high alert for social engineering attacks.”
How are Authy users affected?
While Authy is also affected by the breach, it doesn’t look like too many users are affected. It appears as though the hackers used Twilio for a number of highly targeted attacks, as the security team found out that only 93 Authy users out of 75 million were affected, with bad actors registering additional devices to the accounts. These unauthorized devices have since been removed from the accounts, and the targeted users in question were all contacted by the company.
How can you secure your Authy account?
Authy recommends an easy fix that stops the addition of unauthorized devices. If you use Authy, you should first set up the app on one or two backup devices like your laptop or tablet and then disable “Allow multi-device” in the app’s Devices settings on any of your devices.
This prevents anyone who is not in possession of your connected devices from adding further devices, including you. (That’s why it’s so important to have backup devices — otherwise it will be a big hassle to regain access if your phone is stolen or lost, though it isn’t impossible.) When you do want to add new devices, you can re-enable “Allow multi-device” on any of your connected devices at any time.
Does the Authy hack mean 2FA isn’t secure?
Keep in mind that even if you were caught in the midst of this Authy hack, your online accounts should still remain secured as long as your password and the email address associated with your account isn’t in the hands of the hackers. After all, this is exactly what two-factor authentication is meant for: Even when one of your login factors is compromised, a bad actor would still need the other factor to gain access. If you’re not a high-profile politician or an otherwise obvious target for hackers, it’s very unlikely that both of your factors will be hacked at the same time.
If you’re still concerned, AP alumn Ryne Hager mentioned in his goodbye post a week ago that the best thing you can probably do to stay secure online is to buy a YubiKey or a comparable hardware-based authenticator. A hacker would need physical access to the hardware keys to get around their protection. Just remember that you should invest in a backup key, as getting into your accounts could be a hassle if you lose your primary authenticator.
As Twilio is investigating the attack, it’s possible that we will learn about further implications. We can only hope that the Authy hack remains as limited in scope as it currently is.