Twilio Authy Security Notification

Trust Center

Start your security review
View & download sensitive information
Search items

Welcome to Twilio's Trust Center, a reflection of our unwavering commitment to secure communications and the embodiment of the Twilio Magic. Our values define us, guiding how we work together to meet challenges and innovate. As we strive to unlock the imagination of builders and stand as the customer layer for the internet, this repository of information and documentation offers a transparent view into our security endeavors. Every call, message, or video chat made through our platform is a testament to our mission: providing simple tools to power engaging interactions with global reach and straightforward pricing. By fostering trust with you, we empower you to build deeper connections with your customers, all while staying true to the principles that make us who we are.

Start your security review
View & download sensitive information
Twilio Pen Test Report

Knowledge Base

    Does Twilio have an AI Governance policy?
    Does Twilio have a documented data protection and privacy program?
    What is Twilio's third party review process?
View more

Trust Center Updates

Twilio Authy Security Notification

VulnerabilitiesCopy link

The Twilio Security Team recently detected that a threat actor was able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated API endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.

There is no evidence of a breach of Twilio’s systems or other sensitive data.

Key Points:

  • Twilio did not leak the bulk list of phone numbers. The threat actor tested millions of phone numbers to identify numbers associated with Authy accounts.
  • They bypassed our protections using multiple IP addresses.
  • The affected API endpoint is used exclusively by the Authy app during device registration and not by business customers. The API is now secure and does not allow requests from unvalidated mobile devices.

Action Required:

  • Update your Authy app: Please update your Authy app to the latest Android and iOS app versions to receive the latest security updates.
  • Stay vigilant: Although your Authy account is secure, threat actors might use associated phone numbers for phishing and smishing attacks. Be extra cautious and verify the legitimacy of any texts you receive.

Additional Resources:

CVE Publication

Twilio Changelog

Published at N/A

If you need help using this Trust Center, please contact us.

Powered bySafeBase Logo