This service stores all your security keys: it has been hacked

We always recommend using the latest security measures when protecting our accounts. For example, it is vital to use long and secure passwords in our online services, and also that these are unique and that we do not reuse them on other websites in order to contain a computer attack as best as possible. In addition, whenever it is available, we recommend using double authentication that guarantees that, even if passwords are stolen, they cannot access our data. But, what happens if the person who puts us in danger is the company that keeps these security keys? This is what has happened to Auty.

Although double authentication is vital to preserve our security, the most used application to generate keys, Google Authenticator, it leaves much to be desired. For this reason, many users have trusted Authy to have their security keys protected and, in addition, to be able to have them at hand on all types of devices (mobile phones, tablets, PCs, etc.).

However, even if we use the latest security measures, they are useless if the company responsible for controlling these security measures does not adequately protect them. And this is what has happened with Twilio, responsible for Authy.

A phishing attack puts our security at risk

As the company has confirmed, a group of hackers has carried out a phishing campaign against several employees of this company, based in the United States, until, finally, it has managed to compromise the security of its entire infrastructure. In this phishing, the attackers were posing as Twilio’s IT department, asking workers to reset your passwords in order to continue to have access to the intranet. Needless to say, the link provided via SMS was fake.

At the moment, the company is investigating how far hackers have been able to access and what information has been stolen. As part of its transparency plan, Twilio will notify affected users as soon as it is confirmed that their data has been stolen. Of course, at the moment it is not known what has happened to Authy, since the company has refused to make any statements in this regard.

Can they enter my websites with the Authy keys?

Although Twilio offers many other services, the one that users are really worried about is Authy. If hackers have managed to steal the private keys and timestamps, they could generate literally any double authentication code to break into any website. However, this is unlikely.

Because Authy does not use the typical username/password login, but instead uses a mobile phone as a user identifier, it is very complicated that, in the event that the keys have been stolen, they can be associated with a specific user. Unless, of course, they have the mobile number in their possession stolen from another website. In addition, we must bear in mind that, when using the PIN, the data is always encrypted from end to end, so, in the worst case, if they have our mobile and know who we are, without the PIN they will not be able to decrypt the data. data.

authy unlock code

If we don’t trust it, and we want to shield our security, we simply have to revoke all the generated 2FA keys and re-link them. Thus, all the alleged data stolen by hackers will be useless.

Related Articles

Leave a Reply

Your email address will not be published.