authy2fa.com Open in urlscan Pro
2606:4700:3033::ac43:afce  Public Scan

Submitted URL: http://authy2fa.com/
Effective URL: https://authy2fa.com/
Submission: On April 27 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

GET https://www..com/cse

<form action="https://www..com/cse" id="searchform" method="get"><input autocomplete="off" id="s" name="q" placeholder="Search Here..." type="text" value="">
  <input name="cx" type="hidden" value="partner-pub-7983783048239650:3179771210">
</form>

Name: f1POST https://inl02.netline.com/rssnews0001/

<form action="https://inl02.netline.com/rssnews0001/" class="clear cf" id="subform" method="post" name="f1" target="_blank">
  <div class="email-box-h3"><ya-tr-span data-index="116-0" data-translated="false" data-source-lang="en" data-target-lang="ru" data-value="Join 100,000+ Professionals" data-translation="Присоединяйтесь к более чем 100 000 профессионалам" data-ch="0"
      data-type="trSpan">Join 100,000+ Professionals</ya-tr-span></div>
  <p><ya-tr-span data-index="117-0" data-translated="false" data-source-lang="en" data-target-lang="ru" data-value="Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips."
      data-translation="Зарегистрируйтесь бесплатно и начните получать ежедневную дозу новостей, идей и советов по кибербезопасности." data-ch="0" data-type="trSpan">Sign up for free and start receiving your daily dose of cybersecurity news, insights
      and tips.</ya-tr-span></p>
  <div class="email-input">
    <input name="_submit" type="hidden" value="0001">
    <input id="brand" name="brand" type="hidden" value="thehackernews">
    <div class="e-book"><input checked="yes" id="opt_001" name="opt_001" type="checkbox" value="Y"><input checked="yes" id="opt_003" name="opt_003" type="checkbox" value="Y"></div><label class="visuallyhidden" for="input-email"><ya-tr-span
        data-index="118-0" data-translated="false" data-source-lang="en" data-target-lang="ru" data-value="Email" data-translation="Электронная почта" data-ch="0" data-type="trSpan">Email</ya-tr-span></label><input class="text" id="input-email"
      name="email" placeholder="Your e-mail address" required="" type="email" value="">
    <button aria-label="Subscribe" id="submitform" type="submit" value="Subscribe"></button>
  </div>
</form>

Text Content

Twilio Breach Also Compromised Authy Two-Factor Accounts of Some Users

 *  Home
 *  Newsletter
 *  Store

 * Home
 * Data Breaches
 * Cyber Attacks
 * Vulnerabilities
 * Webinars
 * Store
 * Contact





Resources
 * THN Store
 * Free eBooks
 * Freebies

About Site
 * About THN
 * Jobs
 * Advertise with us


Contact/Tip Us

Reach out to get featured—contact us to send your exclusive story idea,
research, hacks, or ask us a question or leave a comment/feedback!

Follow Us On Social Media
    
 RSS Feeds  Email Alerts  Telegram Channel


TWILIO BREACH ALSO COMPROMISED AUTHY TWO-FACTOR ACCOUNTS OF SOME USERS

Aug 29, 2022Ravie Lakshmanan

Twilio, which earlier this month became a sophisticated phishing attack,
disclosed last week that the threat actors also managed to gain access to the
accounts of 93 individual users of its Authy two-factor authentication (2FA)
service.

The communication tools company said the unauthorized access made it possible
for the adversary to register additional devices to those accounts. It has since
identified and removed the illegitimately added devices from the impacted
accounts.

Authy, acquired by Twilio in February 2015, allows safeguarding online accounts
with a second security layer to prevent account takeover attacks. It's estimated
to have nearly 75 million users.

Twilio further noted its investigation as of August 24, 2022, turned up 163
affected customers, up from 125 it reported on August 10, whose accounts it said
were hacked for a limited period of time.



Besides Twilio, the sprawling campaign, dubbed 0ktapus by Group-IB, is believed
to have struck 136 companies, including Klaviyo, MailChimp, and an unsuccessful
attack against Cloudflare that was thwarted by the company's use of hardware
security tokens.

Targeted companies span technology, telecommunications, and cryptocurrency
sectors, with the campaign employing a phishing kit to capture usernames,
passwords, and one-time passwords (OTPs) via rogue landing pages that mimicked
the Okta authentication pages of the respective organizations.

The data was then secretly funneled to a Telegram account controlled by the
cybercriminals in real-time, which enabled the threat actor to pivot and target
other services in what's called a supply chain attack aimed at DigitalOcean,
Signal, and Okta, effectively widening the scope and scale of the intrusions.

In all, the phishing expedition is believed to have netted the threat actor at
least 9,931 user credentials and 5,441 multi-factor authentication codes.

Okta, for its part, confirmed the credential theft had a ripple effect,
resulting in the unauthorized access of a small number of mobile phone numbers
and associated SMS messages containing OTPs through Twilio's administrative
console.

Stating that the OTPs have a five-minute validity period, Okta said the incident
involved the attacker directly searching for 38 unique phone numbers on the
console – nearly all of them belonging to one single entity – with the goal of
expanding their access.

"The threat actor used credentials (usernames and passwords) previously stolen
in phishing campaigns to trigger SMS-based MFA challenges, and used access to
Twilio systems to search for one-time passwords sent in those challenges," Okta
theorized.

Okta, which is tracking the hacking group under the moniker Scatter Swine,
further revealed its analysis of the incident logs "uncovered an event in which
the threat actor successfully tested this technique against a single account
unrelated to the primary target."

UPCOMING WEBINAR
Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and
enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Like in the case of Cloudflare, the identity and access management (IAM)
provider reiterated that it's aware of several cases where the attacker sent out
a blast of SMS messages targeting employees and their family members.

"The threat actor likely harvests mobile phone numbers from commercially
available data aggregation services that link phone numbers to employees at
specific organizations," Okta pointed out.

Another supply chain victim of the campaign is food delivery service DoorDash,
which said it detected "unusual and suspicious activity from a third-party
vendor's computer network," prompting the company to disable the vendor's access
to its system to contain the breach.

According to the company, the break-in permitted the attacker to access names,
email addresses, delivery addresses, and phone numbers associated with a "small
percentage of individuals." In select cases, basic order information and partial
payment card information was also accessed.

DoorDash, which has directly notified affected users, noted that the
unauthorized party also obtained delivery drivers' (aka Dashers) names and phone
numbers or email addresses, but emphasized that passwords, bank account numbers,
and Social Security numbers were not accessed.

The San Francisco-based firm did not divulge additional details on who the
third-party vendor is, but it told TechCrunch that the breach is linked to the
0ktapus phishing campaign.



Found this article interesting? Follow us on Twitter  and LinkedIn to read more
exclusive content we post.

SHARE     
Tweet
Share
Share
Share
 Share on Facebook Share on Twitter Share on Linkedin Share on Reddit
Share on Hacker News Share on Email Share on WhatsApp Share on Facebook
Messenger Share on Telegram
Comments
SHARE 
phishing attack, Twilio

Comments



Breaking News
Gets Court Order to Take Down CryptBot That Infecte...
on Wednesday said it obtained a temporary court order in the U.S. to disrupt the
d...
Paperbug Attack: New Politically-Motivated Surveillance Ca...
A little-known Russian-speaking cyber-espionage group has been linked to a new
politicall...
LimeRAT Malware Analysis: Extracting the Config...
Remote Access Trojans (RATs) have taken the third leading position in ANY. RUN's
Q1 2023 ...
RTM Locker's First Linux Ransomware Strain Targeting NAS a...
The threat actors behind RTM Locker have developed a ransomware strain that's
capable of ...
Cybersecurity Resources
Save Time on Network Security With This Guide
See how Perimeter 81's network security platform makes an IT Manager's workday
more efficient.
Webinar: Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and
enhance your Zero Trust strategy.
Get Training Top 2023 Cybersecurity Certifications for Only $99
Become a Cybersecurity Pro with most demanded 2023 top certifications training
courses.
A to Z Cybersecurity Certification Courses
Master cybersecurity from A to Z with expert-led cybersecurity and IT
certification training.

Join 100,000+ Professionals

Sign up for free and start receiving your daily dose of cybersecurity news,
insights and tips.


Email

Connect with us!

892,500 Followers

1,950,000 Followers

445,500 Followers

20,800 Subscribers

142,000 Followers

110,000 Subscribers
Company
 * About THN
 * Advertise with us
 * Contact

Pages
 * Deals Store
 * Privacy Policy
 * Jobs

Deals
 * Hacking
 * Development
 * Android

 RSS Feeds
 Contact Us
© The Hacker News, 2023. All Rights Reserved.
Оригинальный текст: Vulnerabilities
Предложить перевод
Отправить
Спасибо, перевод отправлен
Отключить подсказку с оригинальным текстом