The data of a small number of users of Authy, a two-step authentication app, was stolen in a hack of parent company Twilio. It concerns a total of 125 users, the company reports.
It is unknown exactly what data the attackers could access, but it is not about passwords, tokens or API keys, Twilio reports. With passwords and tokens, the attackers could generate codes on behalf of those users and gain access to accounts. If users haven’t been notified by the company, Twilio says there’s no evidence that attackers could access their data.
Authy is an app for Android and iOS that enables access with two-factor authentication and competes with, for example, the authenticator apps from Google and Microsoft. Twilio doesn’t say how many users Authy has.
The hack was possible because employees had fallen for a targeted phishing attack. The employees received a text message informing them that a password had expired and a request to create a new one. They mistook them for messages from their own IT department and so clicked on the links.
The company will investigate the incident and say it is frustrated with the way things are going. It also has contact with American providers to make it no longer possible to spoof the text messages.