Summary
- Authy is a 2FA app that recently suffered a data breach that exposed more than 33 million phone numbers.
- An unsecured API endpoint allowed threat actors to collect linked numbers.
- If you think your personal information might be among the 33 million leaked numbers, consider securing your accounts with 2FA and be wary of SMS phishing attacks.
Lol so what do you do when the 2fa app you use to protect your accounts is breached?
Authy just leaked a list of phone numbers. No actual 2FA data was breached. Even if it were, attackers would need your backup encryption password to access any 2FA keys.
You may get more phishing texts, but that’s about it.
Don’t use cloud based 2fa and you won’t need to wonder about this.
Aegis is one of several opensource 2fa apps you can use instead.
Ok, but what happens if your phone gets stolen?
The same as for anything else if your phone gets stolen. You restore from backups.
Aegis allows you to make a backup that you can keep yourself on your computer, your own cloud storage etc.
Every OS has some kind of built in vault/encryption feature. Put the file in there. It only needs to be updated when you add another 2fa account (so very infrequently)
Good question. You would need to start by changing all your account passwords. Next export your 2 factor auth codes. Import your auth codes in a good open source auth app. Then, one by one set new auth codes for your accounts.
This should be sufficient to protect your online accounts.