'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.
Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
It's the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn't (SQL injections, etc) -- the other, is using the system exactly as it was programmed.
Downloading videos from YouTube isn't "Hacking" YouTube. Even though it's using the API in a way it wasn't intended. Right-clicking a webpage and viewing the source code isn't hacking - even if the website you're looking at doesn't want you looking at the source.
That's what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn't be able to do.
Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.
I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.
Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.
If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.
GA now backups your codes in your Google account, so this doesn't happen anymore.
Call my job and tell them this please. I have to use this shite everyday and it sucks.
I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.
I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.
Red Shazam
Wow, it's literally the shazam logo, flipped horizontally and red.
Wonder who got paid to make that logo?
I realized long time ago that I don't want my 2FA be tied to my phone number. And then i found you can't export your data from Authy because they know they are scummy fucks and don't want to anyone to leave
You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.
Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file
People keep acting like Authy is betraying them by not having an export feature, but why exactly are you leaving Authy to begin with? Because they are a security risk?
You're gonna leave Authy a copy of your seeds? That defeats the purpose.
Re-key your MFA codes on the way out. Security isn't necessarily convenient.
Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?
Unfortunately I can't use aegis on iOS/windows, does keepass have this functionality?
Bitwarden would be my vote
Just out of curiosity: is it wise to keep you MFA within your password safe? Like is that not the opposite of multi factor? I'm no troll, I'm seriously uninformed.
Realistically the threat we care about is others leak your password. So it doesn’t matter.
If you have a setup where your password vault is at risk then yes it’s a bad idea.
I’ve been running a self-hosted Vaultwarden server with Bitwarden clients. It’s been perfect. The clients could use some usability work, but other than that, no complaints.
Aegis
These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.
Most KeePass clones have it now, i use Keepass2Android plus KeePassX on PC
Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.
I like 1Password's built in MFA support, if it's a really sensitive account I use Google Authenticator because I haven't bothered researching better local alternative
Edit: Going to try Aegis for the more sensitive logins, looks like what I'm looking for
lol. I am glad I became privacy conscious before this happened.
welp
Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.
Does anyone have a suggested alternative for authy? (Please read the whole post before responding)
I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:
Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.
At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.
I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
Edit: added emphasis
Bitwarden has 2FA built in, and you can host it yourself if you want.
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.
Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.
Why does it require a phone number to use?!
They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.
Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack
Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.
Stop. Trusting. Cloud/SAAS. Security. Apps.
Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.
Don't give them your personal details, they don't care about protecting user anonymity.
Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.
"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.
"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.
There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create ~~honeypots~~ catnip for hackers, and making you pay them for the privilege of being an easy target.
Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.
"What if I lose my phone?"
I've referenced this scenario in a comment elsewhere in the thread. You've missed the problem in your solution.
A backup is useless if I can't access it when I need to. In the scenario where I'm far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.
This is a real scenario that doesn't seem covered by most options and people seem to keep glossing over it (And before anyone says that's not likely, I've been in that exact scenario before)
This is a most excellent place for technology news and articles.
