Twilio, the developer of the Authy authenticator app, said user phone numbers were leaked to attackers but accounts themselves were not compromised.
Hackers gained access to the Authy Android app database and “were able to identify data associated with [accounts], including phone numbers,” according to a July 1 security alert post issued by the app’s developer, Twilio.
The accounts themselves “are not compromised,” the post stated, implying that the attackers were not able to gain authentication credentials. However, the exposed phone numbers may be used for “phishing and smishing attacks” in the future. Because of this risk, Twilio encouraged Authy users to “stay diligent and have heightened awareness around the texts they are receiving.”
Related: What is a phishing attack in crypto, and how to prevent it?