Twilio hack led to compromise of 2FA app Authy

Earlier this month, messaging service Twilio suffered a serious data breach following a "sophisticated social engineering attack". After using phishing attacks on company employees, hackers were able to access user data, but it seems that the impact of the hack was more widespread.

Twilio has now revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Although the number of users affected by the breach is relatively small, the implications are very serious and will dent confidence in the company.

See also: Microsoft releases KB5016688 update to fix a slew of Windows 10 problems

In gaining access to 2FA data, hackers were able to register additional devices to affect users' accounts. Twilio says that it has now removed such devices from accounts.

In an update to a blog post about this month's security incident, the company says: "As we are continuing our investigation and gathering more information, we can share the following update".

Twilio continues, saying:

After having instituted a number of targeted security enhancements internally, we have not observed any additional instances of unauthorized access to accounts since our last update.

To date, our investigation has identified 163 Twilio customers -- out of a total customer base of over 270,000 - whose data was accessed without authorization for a limited period of time, and we have notified all of them.

In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users -- out of a total of approximately 75 million users -- and registered additional devices to their accounts. We have since identified and removed unauthorized devices from these Authy accounts.

We have contacted the 93 Authy users and provided them with additional guidance to protect their account, based on industry-accepted practices:

- Review any linked account(s) for suspicious activity and work with their account provider(s) if they have any concerns.

- Review all devices tied to their Authy account and remove any additional devices they don't recognize.

- To prevent the addition of unauthorized devices, we recommend that users add a backup device and disable "Allow Multi-device" in the Authy application. Users can re-enable "Allow Multi-device" to add new devices at any time. Specific steps can be found here.

The company concludes by adding: "Trust is paramount at Twilio, and we recognize that the security of our systems and network is an important part of earning and keeping our customers' trust. As we continue our investigation, we are communicating with impacted customers to share information and assist in their own investigations. We will update this blog with more information as it becomes available".