diffiehellmanstan , 1 day ago

@jerry I'm considering whether to move to a whole new authenticator altogether. I long for the day when most if not all apps and sites allow hardware keys as the other factor, as opposed to just being an add-on to an MFA app.

And given the SIM swapping potential, it comes down to the mobile provider's customer team adhering to whatever verification procedures they have in place as the last line of defense. I also made sure to set MFA for my mobile account, decidedly not with Authy in this case :blobcatsweat:

EndlessMason , 1 day ago

@jerry
So do they just only target user data, or do companies just not have to report their own shit getting stolen?

jerry OP , 1 day ago

@EndlessMason the answer is “it depends”. Many jurisdictions have requirements to report when customer/personal data was storen. US public companies have an obligation to report “material” breaches to the SEC. What “material” means is where things get complicated. The spirit of the requirement is to disclose incidents that could or will affect the financial performance/stock price of the company. In my experience, there’s a lot of analysis on whether a given incident is “material” and if it’s not, we the public, are likely to never hear about it.

mdavis , 2 days ago

@jerry I’d like to know which authenticator app you use and/or recommend.

Might not be a big deal. One hopes that people who use 2FA auth apps are a little more mindful and harder to phish than the average person.

Plus, all phone numbers are already leaked. A FOR-NEXT loop in BASIC can generate all phone numbers. NPA-NXX prefixes are known if you want to make it a little smarter. Then feed it to your robo-dialer/texter.

michaelslade , 2 days ago

@jerry Phishing, smishing.

errorbody , 2 days ago

@jerry

Does anyone know how I can find out if my number is part of this hack?

Smootasaurus , 2 days ago

@jerry FTR Proton does 2FA in their Proton Pass app

scottytrees , 2 days ago

@jerry If you haven't already, "2FAS Auth" is one of the best authentication apps on iOS that I use, and no data breaches!

cyacyacya_nide , 2 days ago

@jerry this makes me so glad I deleted my Authy account tbh. This is why we can never trust any services that don’t provide its source code to the general public.

Arrakis_Surfer , 2 days ago

@jerry Fine if you didnt use their stupid OTP token feature. Manually managed tokens not leaked.

lulu_powerful , 2 days ago

@jerry They say they "no longer allow unauthenticated requests".

Maybe it's clumsily worded, but... did they previously allow them...?!

It seems silly but this might be how Optus was breached in Australia. One theory was that the endpoint was deliberately opened for testing, and then they just forgot to close it.

theAeon , 2 days ago

@jerry

this might be a good opportunity to recommend Aegis Auth or Ente Auth as Open Source alternatives to Authy.

#2fa #aegisauthenticator #enteauth

kiriappeee , 2 days ago

@jerry I feel like it was just yesterday when I read about some other breach related to Twilio (though not them directly I think)

rysiek , 2 days ago

@jerry they should have used a secure, professional third party authorization service, obviously, instead of rolling their own. Sheesh! When will people learn.

nf3xn , 2 days ago

@jerry They were supposed to embargo this news until 3pm tomorrow lol.