What is Twilio Authy?
Twilio Authy is one of the most widely used authenticator apps for multi-factor authentication (MFA), protecting millions of accounts across consumer and enterprise services. Authy stores TOTP (Time-based One-Time Password) tokens and provides MFA codes for banking, social media, cryptocurrency exchanges, corporate SSO systems, and other high-value services. Because Authy is tied to users' phone numbers and protects access to sensitive accounts, a list of Authy-registered phone numbers is directly actionable for targeted phishing, SIM-swapping, and social engineering attacks focused on bypassing MFA.
Overview
CVE-2024-39891 is an information disclosure vulnerability in Twilio's Authy API: an unauthenticated endpoint accepted phone number inputs and returned a response indicating whether that number was registered with Authy. Attackers exploited this oracle to enumerate Authy user registrations at scale, confirming 33 million phone numbers as belonging to Authy users. The breach was publicized by the ShinyHunters threat actor group in June 2024, and Twilio confirmed the exploitation on July 1, 2024. The vulnerability's significance extends beyond the CVSS score — knowing that a phone number belongs to an Authy user directly identifies accounts protected by MFA, making those accounts targets for SIM-swapping attacks designed to steal the MFA factor.
Affected Versions
| Product | Status |
|---|---|
| Twilio Authy (Android and iOS) | Endpoint secured by Twilio following disclosure |
Technical Details
CWE-203 (Observable Discrepancy). The Authy API contained an endpoint that accepted a phone number as a parameter without requiring any authentication. The API's response differed depending on whether the supplied phone number was registered: a registered number returned different data (such as account details or a non-error response) than an unregistered number. This discrepancy allowed an attacker to automate requests across large phone number lists — treating the API as a boolean oracle to confirm which numbers had Authy accounts.
The attack is straightforward: iterate through phone numbers (purchased from data brokers, sourced from prior breaches, or systematically generated by country code and prefix), submit each to the unauthenticated endpoint, and collect the subset that returns a positive confirmation. The result is a high-confidence list of phone numbers belonging to Authy users — people who specifically use MFA and thus protect high-value accounts.
Discovery
The vulnerability was exploited before public disclosure. ShinyHunters — a cybercriminal group known for large-scale data theft and sale — posted a database claiming 33 million Authy-registered phone numbers on a hacking forum in late June 2024. Twilio investigated and confirmed that an unauthenticated API endpoint had been abused to generate this dataset, and disclosed the vulnerability on July 1, 2024. Twilio secured the endpoint following discovery.
Exploitation Context
The value of the leaked dataset lies in its utility for downstream attacks against MFA-protected accounts. Phone numbers confirmed as Authy-registered are high-probability targets for:
- SIM swapping: Social-engineering mobile carriers to transfer the victim's phone number to an attacker-controlled SIM, intercepting MFA codes
- Phishing with MFA bypass: Real-time phishing proxies that relay MFA codes as victims enter them
- Social engineering: Impersonating MFA resets, Twilio support, or targeted vishing campaigns against known MFA users
Because Authy users disproportionately protect financial accounts, cryptocurrency holdings, and corporate SSO, the 33 million number dataset is particularly valuable to financially-motivated attackers.
Remediation
- Twilio has secured the vulnerable API endpoint — no user action is required to patch the server-side issue.
- Authy users should be aware their phone number may be in the leaked dataset and take precautions: contact their carrier to add a SIM-lock/PIN to prevent unauthorized SIM swaps.
- Enable carrier account PINs and port freezes to prevent SIM-swapping attacks that could capture Authy TOTP codes.
- Where possible, switch from SMS-based MFA to app-based TOTP or hardware keys for critical accounts — this reduces the attack surface even if SIM-swapping is attempted.
- Monitor for suspicious account recovery requests or carrier notifications about SIM-swap activity on Authy-linked numbers.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-39891 |
| Vendor / Product | Twilio — Authy |
| NVD Published | 2024-07-02 |
| NVD Last Modified | 2025-11-05 |
| CVSS 3.1 Score | 5.3 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Severity | MEDIUM |
| CWE | CWE-203 find similar ↗ |
| CISA KEV Added | 2024-07-23 |
| CISA KEV Deadline | 2024-08-13 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-06-26 | ShinyHunters threat actor leaks data claiming 33 million Authy phone numbers on a hacking forum |
| 2024-07-01 | Twilio confirms the breach — an unauthenticated API endpoint allowed phone number verification against Authy's user base |
| 2024-07-02 | CVE-2024-39891 published |
| 2024-07-23 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2024-08-13 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Twilio Security Alert — Authy Android and iOS | Vendor Advisory |
| NVD — CVE-2024-39891 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |