Twilio, a leading cloud communications provider, has recently disclosed that unidentified threat actors exploited an unauthenticated endpoint in its Authy app. This breach potentially exposed data associated with millions of Authy accounts, including users' cell phone numbers.

The company acted swiftly to secure the endpoint, ensuring it no longer accepts unauthenticated requests. This development follows the release of a database by an online persona named ShinyHunters on BreachForums, claiming to contain 33 million phone numbers allegedly sourced from Authy accounts.

Authy, a popular two-factor authentication (2FA) app owned by Twilio since 2015, adds an extra layer of account security for users. Despite the breach, Twilio maintains that there is no evidence of the threat actors gaining access to Twilio's systems or other sensitive data, according to a security alert issued on July 1, 2024.

However, in the interest of caution, Twilio recommends that users upgrade their Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps to the latest version. The company also warned that the threat actors might attempt to use the exposed phone numbers for phishing and smishing attacks.

"We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," the company noted, emphasizing the importance of vigilance in the face of potential cyber threats.