Schubert Jonckheer & Kolbe LLP is investigating a data breach impacting the private information of 33.4 million users of Authy, a multifactor authentication (“MFA”) mobile app developed by Twilio Inc, a California-based cloud communications company.

On July 1, 2024, Twilio confirmed that third-party threat actors accessed and downloaded private data associated with Authy accounts, including phone numbers, due to its failure to authenticate an API endpoint.

In late June, a cybercrime group called ShinyHunters leaked a text file containing what it claims are 33.4 million private records for Authy users. The file included account IDs, phone numbers, account statuses, and device counts.

According to news reports, the data was compiled by feeding a massive list of phone numbers into the unsecured API endpoint. If the number was valid, the endpoint would return information about the associated accounts registered with Authy.

Although Twilio does not believe that other private data was breached, the stolen phone numbers and related metadata may be used by hackers to conduct phishing, smishing, and SIM swapping attacks. ShinyHunters has already suggested that other threat actors can use the stolen data in combination with other data to conduct additional breaches, including cryptocurrency exploits. 

Twilio customers may also be at further risk though another data breach. Twilio has begun sending breach notifications that a third-party vendor’s unsecured Amazon Web Services’ S3 bucket exposed SMS-related data sent using its networks. In that breach, IdentifyMobile, a downstream carrier of Twilio’s backup carrier iBasis, publicly exposed message-related SMS data sent between January 1, 2024, and May 15, 2024. Twilio has informed its customers that some data, including message bodies without login tokens and marketing campaigns, may have been exposed. It could also not rule out the possibility of personal data exposure.

If your private information was impacted by this incident, you may be at risk of identity theft, financial fraud, and other serious violations of your privacy. As a result, you may be entitled to money damages and an injunction requiring changes to Twilio’s cybersecurity practices.

If you received notification of this data breach or are a current or former user of Authy and wish to obtain additional information about your legal rights, please complete the form below complete the form below for a free legal consultation.