Cyber report spotlight: 33 million Phone Numbers Stolen In Twilio Data Breach​

What happened​

The Twilio data breach occurred sometime in June, and was revealed when the group involved – ShinyHunters – announced that they were going to be leaking the 33 million stolen phone numbers. ​

A week later Twilio confirmed that they had suffered a data breach, although stated that the hackers had not gained access to their systems. Instead, the source of the data breach was an unauthenticated public facing endpoint, which allowed the threat actors to exfiltrate the data from outside the organisation. Twilio have since secured this endpoint to prevent further attacks.​

While any data breach involving contact information will result in a risk of follow-on phishing attacks, in this instance the risk is increased due to some of the phone numbers involved being linked to the Authy 2FA app which is owned by Twilio. Twilio confirmed that based on the data that was exfiltrated the threat actors would be able to determine which phone numbers were associated with Authy 2FA app users. With the data being made publicly available on the dark web, it is likely that threat actors may conduct targeted and customised phishing attacks against Authy 2FA app users. ​

Wider implications​

While a relatively uncommon cause of data breach's, unauthenticated public facing endpoints have been responsible for some of the largest data breaches in recent years, due to the ease by which threat actors can exfiltrate vast amounts of data.

In 2022 a cyber attack on Optus in Australia which led to the personal data of 3.2 million customers being compromised was caused by an unauthenticated API. Similarly to this incident, a lack of authentication as well as rate limiting controls allowed the threat actors to export the data undetected.

Organisations should:

• Ensure they have implemented best practice for API security such as encrypting ​ all API data, implementing authentication and access control restrictions, data input validation, imposing rate limiting on requests, and closely monitoring API usage logs.​

• ​Continually assess their API security against OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10

• Make users aware of the potential social engineering risk targeting phone numbers, if using the Authy 2FA app.

To make sure you stay informed on all the latest cyber security news, sign up to our cyber report where we discuss all the latest news and give you insights into the best practises for protecting your data. 

Sign up here!