Unsecured API Exposed Authy Users’ Phone Numbers

Twilio has issued a warning that an unsecured API endpoint allowed attackers to discover millions of Authy users’ phone numbers, potentially putting them at risk of SMS phishing and SIM swapping attacks.

In late June, a hacker known as ShinyHunters leaked a CSV file online, allegedly containing 33 million phone numbers registered with the Authy two-factor authentication service. The file includes 33,420,546 rows, each listing an account ID, phone number, an “over_the_top” column, account status, and the number of associated devices.

ShinyHunters suggested, “You can combine [this list] with the Gemini or Nexo database,” implying that criminals could cross-reference Authy users’ phone numbers with data leaked from crypto companies Gemini and Nexo.

Twilio representatives confirmed to Bleeping Computer that attackers compiled this list by exploiting a poorly secured API endpoint that did not require authentication. “Twilio discovered that attackers were able to obtain data associated with Authy accounts, including phone numbers, by using an unauthenticated endpoint. We have taken steps to secure this endpoint and no longer allow unauthenticated requests,” Twilio stated.

The company emphasized that there is no evidence attackers accessed Twilio’s internal systems or other sensitive data.

What Authy Users Should Do

• Update the Authy app to the latest version (Android: 25.1.0, iOS: 26.1.0).
• Stay vigilant and be prepared for potential phishing attempts.

According to journalists, ShinyHunters obtained the leaked data by submitting a massive list of phone numbers to the unsecured API endpoint. If a number was valid, the API would return information about the associated Authy account. This API endpoint is now secured and can no longer be used for such “checks.”

Previously, hackers used a similar method to collect information about Twitter users by abusing an API to match phone numbers with social media accounts.