MFA Breached via Unauthenticated APIs

What happens when the system designed to authenticate you to your online accounts is vulnerable itself? Threat actors recently verified phone numbers for millions of Authy users via an unsecured API endpoint. The irony is, the whole thing stems from an authentication issue…

MFA Breached via Unauthenticated APIs

Authy is a Twilio-owned application used to retrieve multi-factor codes for certain websites. Unfortunately, Twilio recently revealed to Bleeping Computer that millions of phone numbers were verified using an unsecured endpoint that lacked adequate authentication. Authentication is one of the top two cyber vulnerabilities of 2024 both in terms of actual attacks and records breached. See our State of API security report 2024 for more information on top threat vectors.

When your security lacks adequate security…

Let’s back up a little. Multi-factor authentication (MFA) relies heavily on APIs to power it. The core system has the first set of credentials, like username / user ID / email and a password (ideally both encrypted and salted). But the multi-factor authentication usually comes from a second system that is disconnected by design from the core system, and this second system is called via an API to generate the second authentication factor (2FA). 

The breach in question occurred because of a vulnerability with one of these APIs. Authy may have been relying on security by obscurity for one of their API endpoints, and as we all know by now, this is not a good tactic, no matter how obscure the connection is supposed to be. 

There also may have been a lack of rate limiting present, as over 30 million records were queried and no alarms went off. However, we don’t know if the attack was a “smash and grab,” in which bad actors overwhelmed it with the requests all at once, or a “low and slow,” where they may have done this over time in increments. Either way, there is little excuse for the volume of records not raising alarms within Authy’s security system.


All this said, if you are an Authy user, rest assured that this specific vulnerability has been fixed- Twilio told BleepingComputer that “We have taken action to secure this endpoint and no longer allow unauthenticated requests.” Authy is requiring all users to update to a new mobile app that has secure communications and authentication moving forward.

However, this is far from the end of the API security challenge. MFA vulnerabilities may affect other services as well, and no one is exempt from the cyber risks. Another common issue we’ve been seeing lately is telecommunications support employees being vulnerable to bribes from bad actors and giving up SIMs in exchange for payments

Overall, Authy’s MFA vulnerability highlights the harsh truth that no one- even those who are supposed to be protecting us- is safe from cyber threats in today’s digital landscape.

This also highlights the need for a comprehensive approach to API security that doesn’t rely on only approach or another. For effective API security in this case, a combination of a few tactics would be needed:

  • Continuous discovery and visibility of APIs and API endpoints
  • Assessment of each API and API endpoints for security design flaws, like endpoints or methods that don’t require authentication
  • Monitoring of API requests, with the ability to set context-aware triggers to alert on malicious activity

API security is rapidly rising to become one of the biggest issues for companies today, but many are still overlooking the problem- and paying the price. If you’d like to learn more about API security or see how FireTail can help, book a free demo with us today.