Security Notice: Phone Change Process
Time to read: 1 minute
Security Notice: Phone Change Process
Summary of notice:
- Routine security testing revealed a vulnerability unrelated to authentication
- The vulnerability had potential to expose data for a small number of users (<0.2%)
- We proactively issued a customer notice as a precaution to users
- The Authy service was not affected
The detail…
Through our routine vulnerability research, one of our outside security researchers identified a vulnerability that had the potential to expose the personal data of a small percentage (less than 0.2%) of Authy users. The potentially-affected users are a subset of those that completed the process of changing the phone number on their Authy accounts since February 2014. In particular, the potentially-affected users were those that changed the phone number on their Authy account but no longer had access to their original phone account and were therefore required to submit proof of phone account ownership, which often included identity information such as a passport or driver’s license. This phone change process is independent from and not connected to the Authy API and authentication services, which were completely unaffected.
Immediately upon learning of the vulnerability, the Authy team took steps to move the records to a more secure location and implement data protection methods including access restriction, full encryption, and logging.
While Authy has no evidence that the vulnerability was exploited for improper purposes, as a precautionary measure, Authy has sent an email notification of the vulnerability to potentially affected users and has offered these users identity protection services.
In addition, on 21st December 2015, the Authy team sent out a proactive email advisory to all of our customers whose products or services were accessed by the potentially affected users.
We appreciate the hard work of our security researchers. As always, we are committed to working with outside security experts and the information security community to ensure transparent, rapid response to potential vulnerabilities.
Related Posts
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.