Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed - MacRumors
Skip to Content

Authy Users Urged to Stay Alert After 33 Million Phone Numbers Exposed

by

Twilio has updated its Authy two-factor authentication (2FA) service after a hacker claimed to have retrieved 33 million phone numbers from its user database.

authy
TechCrunch reports that the hacker(s) known as ShinyHunters took to a well-known hacking forum to boast about the theft of 33 million cell phone numbers, achieved by what Twilio described as the use of an "authenticated endpoint."

The U.S. messaging giant confirmed this week that "threat actors" gained access to its servers, resulting in the theft of users' phone numbers, but it did not specify how many were accessed. The company said it had taken action to secure the exploit and prevent similar future unauthenticated requests.

"We have seen no evidence that the threat actors obtained access to Twilio's systems or other sensitive data," said the company in a blog post. "While Authy accounts are not compromised, threat actors may try to use the phone number associated with Authy accounts for phishing and smishing attacks; we encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving."

As Twilio notes, obtaining a list of phone numbers may not appear in itself to pose a severe security threat. However, attackers could conceivably contact users and claim to be Authy or Twilio representatives in order to get them to reveal personal information as part of a phishing campaign.

Users should update to the latest version of the iOS app, available on the App Store. Twilio also advises users who cannot access their Authy account to contact its support team immediately.

At the beginning of the year, Authy announced that it was shutting down its Mac and Linux desktop apps in August 2024, but ended up bringing the date forward. The apps were subsequently killed off in March.

Tag: Two-Factor Authentication

Popular Stories

WWDC26 MR Live Coverage Article

WWDC 2026 Apple Event Live Keynote Coverage: iOS 27, Revamped Siri, and More

Monday June 8, 2026 9:15 am PDT by
Apple's Worldwide Developers Conference (WWDC) starts today with the traditional keynote kicking things off at 10:00 a.m. Pacific Time. MacRumors is on hand for the event and we'll be sharing details and our thoughts throughout the day. We're expecting to see a number of software-related announcements today, headlined by a reset on Apple's push into AI that should see a significant overhaul...
Read Full Article1078 comments
macOS Golden Gate Mac

Apple Announces macOS 27 Golden Gate With New Siri and 'Tons' of Refinements

Monday June 8, 2026 10:19 am PDT by
Apple today announced that macOS 27 is named macOS Golden Gate. Much like Mac OS X Snow Leopard in 2009, Apple said it focused on improving macOS's performance and dozens of underlying technologies this year. Apple says macOS Golden Gate offers quicker AirDrop transfers, faster network file browsing, improved syncing in the Messages app, better Spotlight search suggestions, and other...
Read Full Article122 comments
apple intelligence architecture

Apple Reveals New AI Architecture Built Around Google Gemini Models

Monday June 8, 2026 10:38 am PDT by
Apple today announced a major overhaul of its Apple Intelligence platform, revealing a new architecture built on foundation models developed in collaboration with Google using the technologies behind the Gemini family. The new architecture centers on Apple Foundation Models co-developed with Google, which Apple says are adapted to run both on-device and on servers through its existing...
Read Full Article40 comments

Top Rated Comments

J
jasonsmith_88
25 months ago
Been using Authy for years but I’ve always been suss on the requirement for a phone number, especially as Twilio’s entire business model is SMS.

You should not have to, nor expect to, disclose your phone number in order to use a TOTP generator. My data has already been leaked so many times, so I migrated to 2FAS about a month ago in anticipation of an event like this. Sadly my data was leaked because Authy takes 30 days to delete an account 🙃

Do not use Authy.
Score: 14 Votes (Like | Disagree)
antiprotest Avatar
antiprotest
25 months ago

Never even heard of Twilio, should we be concerned? :rolleyes:
Many of the services you have heard of use Twilio. It offers APIs and such. So it's not a name customers will always directly face, but it's there. In this case, Twilio owns Authy.
Score: 10 Votes (Like | Disagree)
JosephAW Avatar
JosephAW
25 months ago
Never even heard of Twilio, should we be concerned? :rolleyes:
Score: 7 Votes (Like | Disagree)
WarmWinterHat Avatar
WarmWinterHat
25 months ago

Bummer. I liked Twilio's Authy, in part because it synced well between macOS and iOS. But now iCloud Keychain can do this as well, so I might as well migrate to that.

I also still use Twilio's SendGrid.
I don't use Authy anymore, but I've always kept my 2FA codes separate from my passwords app. If one got compromised, at least the 2FA sites would still be secure.
Score: 6 Votes (Like | Disagree)
chucker23n1 Avatar
chucker23n1
25 months ago

Many of the services you have heard of use Twilio.
Yep.

For example, lots of companies use Twilio SendGrid for transactional mails (password change confirmations, etc.) or marketing mails (newsletters, etc.). Or they use Twilio itself to send text messages.
Score: 6 Votes (Like | Disagree)
G
ghanwani
25 months ago
Users should change their phone numbers every 3 months. That way scammers won’t be able to keep up with them! Ideally should also change their own names and relocate every 3 months. That’s the new version of “catch me if you can” where people stay ahead of criminals, instead of the obsolete version where criminals stay ahead of law enforcement.
Score: 5 Votes (Like | Disagree)
Read All Comments