Summary

  • Authy is a 2FA app that recently suffered a data breach that exposed more than 33 million phone numbers.
  • An unsecured API endpoint allowed threat actors to collect linked numbers.
  • If you think your personal information might be among the 33 million leaked numbers, consider securing your accounts with 2FA and be wary of SMS phishing attacks.
  • Altima NEO@lemmy.zip
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    1
    ·
    5 months ago

    Lol so what do you do when the 2fa app you use to protect your accounts is breached?

    • Lem453@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      5 months ago

      Don’t use cloud based 2fa and you won’t need to wonder about this.

      Aegis is one of several opensource 2fa apps you can use instead.

        • Lem453@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          The same as for anything else if your phone gets stolen. You restore from backups.

          Aegis allows you to make a backup that you can keep yourself on your computer, your own cloud storage etc.

          Every OS has some kind of built in vault/encryption feature. Put the file in there. It only needs to be updated when you add another 2fa account (so very infrequently)

    • limerod@reddthat.comOPM
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Good question. You would need to start by changing all your account passwords. Next export your 2 factor auth codes. Import your auth codes in a good open source auth app. Then, one by one set new auth codes for your accounts.

      This should be sufficient to protect your online accounts.

  • Substance_P@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    5 months ago

    Wouldn’t it be great if independent auditors were standard, responsible for holding companies accountable for their data security practices, coupled with a rating system akin to those used in the banking sector? Before paying for a service, consumers would be aware of how secure the service is. Say A++ or AAA.

    It would be a pain in Silicon Valley’s ass for sure, but it would go a long way toward giving consumers peace of mind and bringing about a whole new industry in the process.

    • Tregetour@lemdro.id
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Rating schemes inevitably become subject to gaming and P2W.

      Service providers need to be honest about their stack and its implementation, and people need to git gud.

  • evo
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    5 months ago

    The real important reminder here is that you should never use SMS as your 2FA delivery method. Phone numbers aren’t private and once associated with an account it’s far too easy to spoof/sim swap and intercept the code.

      • AHemlocksLie@lemmy.zip
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        That shit drives me nuts. Wanna be trusted with my life savings, but they can’t be bothered to implement modern security features until they’re already being phased out. I don’t know what will replace modern 2FA schemes, but I guarantee banks will adopt the current ones about three years after the replacements become standard.

        Also, they’re charging you a poor tax for not having enough money, whether that’s a minimum balance or just accidentally spending a nickel more than you had on hand.

  • open343@lemmy.zip
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    5 months ago

    Avoid using services that ask for your phone number, for your own good.

  • grayhaze@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    Just moved all my 2FA over to Bitwarden and Bitwarden Authenticator, and deleted my Authy account. I’d already been using it for passwords, so it was a natural fit.

  • Toes♀@ani.social
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    Twilio has a really cool API that lets you resolve phone numbers to what carrier and if it’s been ported.

    Shame to see they got pwned.

    • evo
      link
      fedilink
      English
      arrow-up
      9
      ·
      5 months ago

      That is exactly like saying having a separate deadbolt on your door is adding another attack vector…

    • Bezier@suppo.fi
      link
      fedilink
      English
      arrow-up
      9
      ·
      5 months ago

      That’s like saying that the second key of a 2-key nuke launch console is an extra attack vector.

    • limerod@reddthat.comOPM
      link
      fedilink
      English
      arrow-up
      6
      ·
      5 months ago

      The breach was because of an unsecured API endpoint. No actual auth codes were leaked. without 2FA the attacker would just need your password and email to get account access.