Shush Blog

Details of the security breach

Recently, Twilio Authy experienced a security breach which has compromised the mobile phone numbers of millions of users. Hackers were able to gain unauthorized access to the app's database and obtain a significant amount of user data.

The breach exposed personal information, including phone numbers, associated with Twilio Authy accounts. It is important to note that no account passwords or sensitive financial information were compromised in the breach.

Twilio Authy has taken immediate action to investigate the breach and enhance its security measures to prevent similar incidents in the future.

The mobile subscribers on the leaked list are now subject to SMS smishing and potential SIM swap attacks.  Since these users are known Twilio Authy users, they are now highly likely to receive attacks with fake SMS OTP requests with malicious links. This further demonstrates that mobile app based authentication methods and SMS OTP can be comprised.  

Impact on user phone numbers

The security breach has raised concerns about the privacy and security of user phone numbers. While no sensitive information was compromised, the exposure of phone numbers could potentially lead to targeted spam messages, phishing attempts, or other malicious activities.

It is recommended that users remain vigilant and report any suspicious activity related to their Twilio Authy accounts. Additionally, users should consider updating their 2FA settings and monitor their accounts for any unauthorized access.

Overview of Twilio Authy 2FA app

Twilio Authy is a popular two-factor authentication (2FA) app that provides an additional layer of security for user accounts. It allows users to secure their online accounts by requiring a second form of authentication, typically a unique code sent to their mobile device.

With the increasing threat of cyber attacks and data breaches, 2FA has become a crucial security measure for individuals and organizations. Twilio Authy has gained popularity due to its user-friendly interface and compatibility with various online platforms.

The app works by generating one-time codes that are required to access online accounts. These codes can be delivered via SMS, phone call, or push notification, providing users with flexibility and convenience.

Response from Twilio Authy

Twilio Authy has taken the security breach seriously and has responded promptly to address the issue. The company has initiated a thorough investigation to determine the cause of the breach and identify any potential vulnerabilities in its system.

In response to the incident, Twilio Authy has implemented additional security measures to enhance the protection of user data. This includes strengthening encryption protocols, implementing stricter access controls, and conducting regular security audits.

Twilio Authy has also notified affected users regarding the breach and provided guidance on steps they can take to secure their accounts. The company is committed to ensuring the privacy and security of its users and will continue to monitor the situation closely.

This is a repost of the following article from TechCrunch

Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO

The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG).

The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG).

Understanding Healthcare Ransomware Attacks

UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system.

This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare’s systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a “substantial proportion of people in America.”

Change Healthcare processes health insurance and billing claims for around half of all U.S. residents.

According to Witty’s testimony, the criminal hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks.

Witty did not elaborate on how the credentials were stolen. The Wall Street Journal first reported the hacker’s use of compromised credentials last week.

Importance of Multi-Factor Authentication in Healthcare

However, Witty did say the portal “did not have multifactor authentication,” which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee’s trusted device, such as their phone. It’s not known why Change did not set up multifactor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer’s systems.

“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data,” said Witty.

Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach.

UnitedHealth confirmed last week that the company paid a ransom to the hackers who claimed responsibility for the cyberattack and the subsequent theft of terabytes of stolen data. The hackers, known as RansomHub, are the second gang to lay claim to the data theft after posting a portion of the stolen data to the dark web and demanding a ransom to not sell the information.

UnitedHealth earlier this month said the ransomware attack cost it more than $870 million in the first quarter, in which the company made close to $100 billion in revenue.