Twilio says someone has obtained phone numbers associated with its two-factor authentication service (2FA), Authy, as reported earlier by TechCrunch<\/em><\/a>. In a security alert<\/a> on Monday, Twilio warns that the \u201cthreat actors\u201d may try to use the stolen phone numbers to carry out phishing attacks and other scams.<\/p>\n<\/div>\n The incident follows a 2022 data breach<\/a> that occurred after a phishing campaign tricked employees into disclosing their login credentials. The attackers accessed data<\/a> from 163 Twilio accounts and managed to access and register additional devices on 93 Authy accounts.<\/p>\n<\/div>\n Twilio traced this leak back to \u201can unauthenticated endpoint\u201d that it has since secured. Last week, the threat actor ShinyHunters published a list<\/a> of 33 million phone numbers from Authy accounts on the dark web. As pointed out by BleepingComputer<\/em><\/a>, the threat actor seems to have obtained the information by inputting a massive list of phone numbers into Authy\u2019s unsecured API endpoint, which would then verify whether they\u2019re associated with the app.<\/p>\n<\/div>\n \u201cWe encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving,\u201d Twilio writes. It adds that it \u201chas seen no evidence that the threat actors obtained access to Twilio\u2019s systems or other sensitive data\u201d and that Authy accounts weren\u2019t compromised. Twilio is advising users to update their Authy apps on Android and iOS (the Authy desktop app has been discontinued<\/a>).<\/p>\n<\/div>\n<\/div>\n