On July 1, 2024, Twilio released a security alert on their website. They discovered that malicious individuals gained access to information linked to their Authy accounts, such as phone numbers, through an unauthenticated endpoint. This is due to a post on June 27, 2024, by a hacking group known as ShinyHunters on the relaunched BreachForums website, compromising 33 million Twilio Authy phone numbers including account IDs and account status.

Twilio is an American cloud communications company based in San Francisco, California. It provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service Application Programming Interfaces (APIs). Over 300,000 global enterprises, digital disruptors, and more than 10 million developers worldwide use Twilio to build unique and personalized customer experiences. Major companies like Uber, Airbnb, Netflix, and HubSpot rely on Twilio’s products. Furthermore, Twilio Authy is a security-focused product offered by Twilio. It provides two-factor authentication (2FA) and multi-factor authentication (MFA) services for applications and websites.

ShinyHunters is a notorious black-hat criminal hacker group that emerged in 2020. They have been involved in numerous data breaches, stealing sensitive information and selling it on the dark web. The group’s name is believed to be inspired by “shiny Pokémon,” which are rare and elusive variants in the Pokémon video game franchise. Notable breaches include AT&T Wireless, Tokopedia, Wattpad, Microsoft, and Pluto TV.

Following the announcement, Twilio said, “We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting that all Authy users update to the latest Android and iOS apps for the latest security updates. While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks, we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving.”