Security Notice: Phone Change Process

December 22, 2015
Written by
Authy
Twilion

Red shield with lock icon surrounded by Gmail, Dropbox, and Amazon app icons.

Security Notice: Phone Change Process

Summary of notice:

  • Routine security testing revealed a vulnerability unrelated to authentication
  • The vulnerability had potential to expose data for a small number of users (<0.2%)
  • We proactively issued a customer notice as a precaution to users
  • The Authy service was not affected

The detail…

Through our routine vulnerability research, one of our outside security researchers identified a vulnerability that had the potential to expose the personal data of a small percentage (less than 0.2%) of Authy users. The potentially-affected users are a subset of those that completed the process of changing the phone number on their Authy accounts since February 2014. In particular, the potentially-affected users were those that changed the phone number on their Authy account but no longer had access to their original phone account and were therefore required to submit proof of phone account ownership, which often included identity information such as a passport or driver’s license. This phone change process is independent from and not connected to the Authy API and authentication services, which were completely unaffected.

Immediately upon learning of the vulnerability, the Authy team took steps to move the records to a more secure location and implement data protection methods including access restriction, full encryption, and logging.

While Authy has no evidence that the vulnerability was exploited for improper purposes, as a precautionary measure, Authy has sent an email notification of the vulnerability to potentially affected users and has offered these users identity protection services.

In addition, on 21st December 2015, the Authy team sent out a proactive email advisory to all of our customers whose products or services were accessed by the potentially affected users.

We appreciate the hard work of our security researchers. As always, we are committed to working with outside security experts and the information security community to ensure transparent, rapid response to potential vulnerabilities.