Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed - MacRumors
Skip to Content

Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed

by

Twilio has updated its Authy two-factor authentication (2FA) service after a hacker claimed to have retrieved 33 million phone numbers from its user database.

authy
TechCrunch reports that the hacker(s) known as ShinyHunters took to a well-known hacking forum to boast about the theft of 33 million cell phone numbers, achieved by what Twilio described as the use of an "authenticated endpoint."

The U.S. messaging giant confirmed this week that "threat actors" gained access to its servers, resulting in the theft of users' phone numbers, but it did not specify how many were accessed. The company said it had taken action to secure the exploit and prevent similar future unauthenticated requests.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," said the company in a blog post. "While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving."

As Twilio notes, obtaining a list of phone numbers may not appear in itself to pose a severe security threat. However, attackers could conceivably contact users and claim to be Authy or Twilio representatives in order to get them to reveal personal information as part of a phishing campaign.

Users should update to the latest version of the iOS app, available on the App Store. Twilio also advises users who cannot access their Authy account to contact its support team immediately.

At the beginning of the year, Authy announced that it was shutting down its Mac and Linux desktop apps in August 2024, but ended up bringing the date forward. The apps were subsequently killed off in March.

Tag: Two-Factor Authentication

Popular Stories

M5 Vision Pro Thumb 2

Apple Has Given Up on the Vision Pro After M5 Refresh Flop

Wednesday April 29, 2026 11:31 am PDT by
Apple has all but given up on the Vision Pro after the M5 model failed to revitalize interest in the device, MacRumors has learned. Apple updated the Vision Pro with a faster M5 chip and a more comfortable band in October 2025, but there were no other hardware changes, and consumers still weren't interested. The Vision Pro has been criticized for its high price tag and its uncomfortable...
Read Full Article633 comments
app store monthly sub commitment

Apple Introduces App Store Monthly Subscriptions With 12-Month Commitment

Monday April 27, 2026 12:52 pm PDT by
Apple today announced the launch of a new subscription option for App Store developers: monthly subscriptions with a 12-month commitment. The new option allows developers to offer subscribers discounted pricing typically associated with an annual subscription but paid on a monthly basis to keep payments more affordable. This new payment option allows you to offer subscribers more affordable...
Read Full Article145 comments
Four iPhone 18 Pro Colors Mock Feature

iPhone 18 Pro to Launch in September With These 10 New Features

Tuesday April 28, 2026 9:35 am PDT by
While the iPhone 18 Pro and iPhone 18 Pro Max are not launching until September, there are already plenty of rumors about the devices. It was initially reported that the iPhone 18 Pro models would have fully under-screen Face ID, with only a front camera visible in the top-left corner of the screen. However, the latest rumors indicate that only one Face ID component will be moved under the...
Read Full Article

Top Rated Comments

J
jasonsmith_88
24 months ago
Been using Authy for years but I’ve always been suss on the requirement for a phone number, especially as Twilio’s entire business model is SMS.

You should not have to, nor expect to, disclose your phone number in order to use a TOTP generator. My data has already been leaked so many times, so I migrated to 2FAS about a month ago in anticipation of an event like this. Sadly my data was leaked because Authy takes 30 days to delete an account 🙃

Do not use Authy.
Score: 14 Votes (Like | Disagree)
antiprotest Avatar
antiprotest
24 months ago

Never even heard of Twilio, should we be concerned? :rolleyes:
Many of the services you have heard of use Twilio. It offers APIs and such. So it's not a name customers will always directly face, but it's there. In this case, Twilio owns Authy.
Score: 10 Votes (Like | Disagree)
JosephAW Avatar
JosephAW
24 months ago
Never even heard of Twilio, should we be concerned? :rolleyes:
Score: 7 Votes (Like | Disagree)
WarmWinterHat Avatar
WarmWinterHat
24 months ago

Bummer. I liked Twilio's Authy, in part because it synced well between macOS and iOS. But now iCloud Keychain can do this as well, so I might as well migrate to that.

I also still use Twilio's SendGrid.
I don't use Authy anymore, but I've always kept my 2FA codes separate from my passwords app. If one got compromised, at least the 2FA sites would still be secure.
Score: 6 Votes (Like | Disagree)
chucker23n1 Avatar
chucker23n1
24 months ago

Many of the services you have heard of use Twilio.
Yep.

For example, lots of companies use Twilio SendGrid for transactional mails (password change confirmations, etc.) or marketing mails (newsletters, etc.). Or they use Twilio itself to send text messages.
Score: 6 Votes (Like | Disagree)
G
ghanwani
24 months ago
Users should change their phone numbers every 3 months. That way scammers won’t be able to keep up with them! Ideally should also change their own names and relocate every 3 months. That’s the new version of “catch me if you can” where people stay ahead of criminals, instead of the obsolete version where criminals stay ahead of law enforcement.
Score: 5 Votes (Like | Disagree)
Read All Comments