Authy got hacked, and 33 million user phone numbers were stolen : technology

[–] kitnaht@lemmy.world 150 points 11 months ago (3 children)

'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

[–] just_another_person@lemmy.world 175 points 11 months ago (24 children)

Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.

[–] kitnaht@lemmy.world 30 points 11 months ago* (last edited 11 months ago) (9 children)

Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.

It's the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn't (SQL injections, etc) -- the other, is using the system exactly as it was programmed.

Downloading videos from YouTube isn't "Hacking" YouTube. Even though it's using the API in a way it wasn't intended. Right-clicking a webpage and viewing the source code isn't hacking - even if the website you're looking at doesn't want you looking at the source.

[–] dezmd@lemmy.world 15 points 11 months ago (2 children)

Exploiting is hacking, quit being pedantic.

load more comments (2 replies)

load more comments (8 replies)

load more comments (22 replies)

[–] Cornelius_Wangenheim@lemmy.world 36 points 11 months ago* (last edited 11 months ago)

That's what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn't be able to do.

load more comments (1 replies)

[–] Scrollone@feddit.it 109 points 11 months ago (4 children)

Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.

[–] TheEighthDoctor@lemmy.world 43 points 11 months ago (6 children)

I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.

[–] Lem453@lemmy.ca 49 points 11 months ago (1 children)

Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.

If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.

load more comments (1 replies)

[–] dev_null@lemmy.ml 13 points 11 months ago (2 children)

GA now backups your codes in your Google account, so this doesn't happen anymore.

load more comments (2 replies)

load more comments (4 replies)

[–] iamericandre@lemmy.world 21 points 11 months ago

Call my job and tell them this please. I have to use this shite everyday and it sucks.

[–] lazynooblet@lazysoci.al 17 points 11 months ago

I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.

I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.

load more comments (1 replies)

[–] CombatWombat1212@lemmy.ml 69 points 11 months ago (1 children)

Red Shazam

[–] Mr_Dr_Oink@lemmy.world 34 points 11 months ago (2 children)

Wow, it's literally the shazam logo, flipped horizontally and red.

Wonder who got paid to make that logo?

load more comments (2 replies)

[–] ugjka@lemmy.world 67 points 11 months ago (9 children)

I realized long time ago that I don't want my 2FA be tied to my phone number. And then i found you can't export your data from Authy because they know they are scummy fucks and don't want to anyone to leave

[–] maryjayjay@lemmy.world 11 points 11 months ago* (last edited 11 months ago) (3 children)

You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.

Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file

load more comments (2 replies)

load more comments (8 replies)

[+] net00@lemm.ee 28 points 11 months ago* (last edited 1 day ago) (17 children)

[deleted]

[–] CaptPretentious@lemmy.world 28 points 11 months ago (3 children)

Bitwarden would be my vote

[–] riplin@lemm.ee 10 points 11 months ago

I’ve been running a self-hosted Vaultwarden server with Bitwarden clients. It’s been perfect. The clients could use some usability work, but other than that, no complaints.

[–] kahdbrixk@feddit.de 10 points 11 months ago (2 children)

Just out of curiosity: is it wise to keep you MFA within your password safe? Like is that not the opposite of multi factor? I'm no troll, I'm seriously uninformed.

[–] AProfessional@lemmy.world 10 points 11 months ago* (last edited 11 months ago)

Realistically the threat we care about is others leak your password. So it doesn’t matter.

If you have a setup where your password vault is at risk then yes it’s a bad idea.

load more comments (1 replies)

[–] foremanguy92_@lemmy.ml 18 points 11 months ago

Aegis

[–] snek_boi@lemmy.ml 17 points 11 months ago (4 children)

These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.

load more comments (4 replies)

[–] Veraxus@lemmy.world 8 points 11 months ago

Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.

[–] Natanael@slrpnk.net 8 points 11 months ago (1 children)

Most KeePass clones have it now, i use Keepass2Android plus KeePassX on PC

load more comments (1 replies)

[–] padge@lemmy.zip 8 points 11 months ago* (last edited 11 months ago) (2 children)

I like 1Password's built in MFA support, if it's a really sensitive account I use Google Authenticator because I haven't bothered researching better local alternative

Edit: Going to try Aegis for the more sensitive logins, looks like what I'm looking for

load more comments (2 replies)

load more comments (11 replies)

[–] mobsenpai@lemmy.world 25 points 11 months ago

lol. I am glad I became privacy conscious before this happened.

[–] snailfact@infosec.pub 24 points 11 months ago (1 children)

did they have 2fa on?

load more comments (1 replies)

[–] Interstellar_1@lemmy.blahaj.zone 23 points 11 months ago

welp

[–] FlavoredButtHair@lemmy.world 21 points 11 months ago (6 children)

Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.

load more comments (6 replies)

[–] 9point6@lemmy.world 18 points 11 months ago* (last edited 11 months ago) (13 children)

Does anyone have a suggested alternative for authy? (Please read the whole post before responding)

I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:

Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.

At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.

I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.

Edit: added emphasis

[–] beerclue@lemmy.world 36 points 11 months ago (5 children)

I use Aegis, which I periodically back up manually off phone.

load more comments (5 replies)

[–] ikidd@lemmy.world 11 points 11 months ago (9 children)

Bitwarden has 2FA built in, and you can host it yourself if you want.

load more comments (9 replies)

[–] Matth78@lemm.ee 10 points 11 months ago* (last edited 11 months ago) (12 children)

Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis

load more comments (12 replies)

load more comments (10 replies)

[–] narc0tic_bird@lemm.ee 14 points 11 months ago (1 children)

Why does it require a phone number to use?!

[–] Wispy2891@lemmy.world 18 points 11 months ago (4 children)

They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.

Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack

load more comments (4 replies)

[–] Mio@feddit.nu 14 points 11 months ago (1 children)

I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.

Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.

load more comments (1 replies)

[–] ___@lemm.ee 12 points 11 months ago (1 children)

Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.

load more comments (1 replies)

[–] AlexanderESmith@social.alexanderesmith.com 10 points 11 months ago* (last edited 11 months ago) (3 children)

Stop. Trusting. Cloud/SAAS. Security. Apps.

Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.

Don't give them your personal details, they don't care about protecting user anonymity.

Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create ~~honeypots~~ catnip for hackers, and making you pay them for the privilege of being an easy target.

Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.

[–] 9point6@lemmy.world 11 points 11 months ago (4 children)

"What if I lose my phone?"

I've referenced this scenario in a comment elsewhere in the thread. You've missed the problem in your solution.

A backup is useless if I can't access it when I need to. In the scenario where I'm far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.

This is a real scenario that doesn't seem covered by most options and people seem to keep glossing over it (And before anyone says that's not likely, I've been in that exact scenario before)

load more comments (4 replies)

load more comments (2 replies)

Technology

Our Rules

Approved Bots