735
Authy got hacked, and 33 million user phone numbers were stolen
(appleinsider.com)
This is a most excellent place for technology news and articles.
The scenario you described would not be breaking in.
Terms and conditions being agreed to are not relevant for this purpose. An exposed API is one that is welcome to be exploited. If you're not requiring an API key, you're essentially saying "This API is free for anyone to use" for security purposes, regardless of what you say in the terms and conditions.