Criminals have stolen phone numbers from Twilio users. The company is now warning customers about phishing attacks.

Twilio is warning users that criminals have made off with their phone numbers. This affects phone numbers linked to the 2FA application Authy. Attackers can use this information to launch targeted phishing campaigns. Twilio is now warning about this.

Hackers gained access to the phone numbers via an unauthenticated endpoint and were able to execute API requests via this. They probably did not steal a phone number list, but rather checked numbers via the API to see if they were associated with Authy and Twilio. For example, they compiled a list of 33 million user numbers that is now being sold on the dark web.

No big hack

Twilio currently finds no evidence that the attackers have actually gained access to the company’s systems. The service itself therefore remains secure. To be on the safe side, Twilio has updated its apps for iOS and Android. As always, a quick installation is a good idea.

The big danger for victims now is that they will be attacked again using their personal data, using their personal phone number. For example, imagine a phishing attack with a fake MFA portal with an automatic message to the correct mobile number: something like this can falsely create trust. Twilio itself communicates about the problem on this page.