Twilio finally disabled its Authy desktop apps for Windows, macOS, and Linux almost two weeks ago, automatically logging out all existing users. Once users were kicked out of their accounts on desktop devices, they could no longer log back in.
In January, Twilio announced these desktop clients would reach their end of life on March 19 and be discontinued in August 2024. Since March, users have been advised to switch to the mobile version, and those who ignored the warning found their accounts were lost unless they had previously synced them.
Those who did manage to synchronize their desktop apps with the mobile versions ran into another issue: some of the user tokens did not sync correctly, rendering their associate accounts unusable.
Last month, Twilio confirmed cybercriminals were able to identify the phone numbers of people who use the Twilio-owned two-factor authentication (2FA) app Authy via an unsecured API endpoint. The acknowledgment came after the ShinyHunters hacker group boasted of leaking 33 million Authy user phone numbers on the relaunched BreachForums website in late June.
In 2022, Twilio was hit by two attacks that were allegedly carried out by the same threat actor. At the time, Twilio said hackers successfully targeted over 90 individual Authy users and managed to steal real 2FA codes by registering additional devices on the victims’ Authy accounts.