Twilio has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication users, potentially making them vulnerable to SMS phishing and SIM swapping attacks.
That’s especially bad, because the default behavior, iirc, is to have Multi-Device turned on, which means anyone can potentially add their device to your account and access your TOTP.
And I don’t expect most users to know how or to remember to turn it off.
That’s especially bad, because the default behavior, iirc, is to have Multi-Device turned on, which means anyone can potentially add their device to your account and access your TOTP.
And I don’t expect most users to know how or to remember to turn it off.