During security testing a vulnerability was exposed on the Authy app, a two-factor authentication tool. Less than 0.2% of Authy users were affected.
An outside security research team discovered the vulnerability which affects users who changed the phone number on Authy accounts since February 2014. The users affected were no longer able to access their original phone and so thus had to prove phone ownership. This process included government issued ID’s.
Authy immediately moved to patch the vulnerability and has no evidence the vulnerability was exploited by nefarious characters. Authy sent out an e-mail which can be seen here:
We are writing to notify you that we recently became aware of a security vulnerability affecting the identification information (e.g., driver’s license, passport or other ID) you previously submitted to us in connection with a request to change your telephone number on your Authy account. This vulnerability may have impacted the confidentiality of that information so, as a precautionary measure, we are writing to inform you of this issue in case you wish to take any of the actions we describe below.
Please be assured that we are taking this matter very seriously and have fixed the vulnerability quickly upon becoming aware of it. We have no reason to believe that your information has been accessed improperly, but we take our responsibility to our customers seriously and for that reason wanted to make you aware of this event and inform you of measures you can take to protect yourself against the risk of misuse of your identity.
What precautionary steps can I take?
We have arranged to have AllClear ID protect your identity for 12 months at no cost to you. The following identity protection services start on the date of this notice and you can use them at any time during the next 12 months.
- AllClear SECURE: The team at AllClear ID is ready and standing by if you need identity repair assistance. This service is automatically available to you with no enrollment required. If a problem arises, simply call 877-676-0379 and a dedicated investigator will help recover financial losses, restore your credit and make sure your identity is returned to its proper condition.
In addition to taking advantage of the above offer, we want to describe certain steps that you can take to protect yourself against misuse of your identity.
- We have enclosed instructions on how you can contact the three major credit bureaus to place a 90-day fraud alert on your account, inquire about any unusual activity on your accounts, and request a free credit report.
- In addition, you may wish to consider contacting the agency or entity that issued you the identification information you submitted. They may be able to provide you with new identification information.
- We also suggest that you carefully review all bills and account statements you may receive over the next several months and report any suspicious activity to the financial institution of the account at issue. If you think that your personal information is being improperly used in any manner, you can also contact local law enforcement to file a police report and contact the Federal Trade Commission at 1-877-ID THEFT (877-438-4338).
- As a final precaution, you may also consider changing the passwords on any e-mail or other online accounts you use—particularly if these passwords, or their accompanying security questions, were based on information contained within your identification information.
What if I have questions?
Should you have further questions about this matter, please contact our customer support team at email@example.com. For quickest routing of your question, include “Authy Security Notice” in the subject line. We value and appreciate your business. We regret this situation and any inconvenience or concern it may cause you. Authy is committed to maintaining the security and privacy of customer information and takes many precautions for the security of personally identifiable information.
Sincerely, The Authy Team
Two-factor authentication allows users a means of logging into accounts with two separate devices in order to prove identity. It’s use has become widespread in recent use, especially with the adoption of cell phones, in order to protect online accounts.
We have reached out to Authy for comment and will have an update article with the information they provide.
Do you use Authy? Let us know in the comments below!