In this episode of Modern Cyber, Jeremy talks to Viktor Markopoulos, a security researcher, about a recent breach of the MFA service Authy. They discuss how the breach exposed over 33 million phone numbers and account details due to broken authentication and lack of rate limiting.
Jeremy At Firetail (00:02.574)
All right, welcome back to Modern Cyber. We've got another one of our unfortunate specials, which is analyzing an API data breach. In this case, we are going to be talking about Authy, that is A -U -T -H -Y, that is an authentication and multi -factor authentication system that unfortunately has been breached. And we've been getting a little bit to the information about what is out there. And I'm joined as before by Victor Markopoulos, our security researcher, to kind of break down what we know so far. Victor, thanks for joining us today.
Viktor (00:31.296)
Thank you again for having me here. So far we know that a threat actor called Shiny... Damn, forgot his name. So we know that a threat actor called ShinyHunters leaked a list of phone numbers that are using OTHIE.
Jeremy At Firetail (00:33.934)
Always happy to. Tell us what we know so far.
Jeremy At Firetail (00:49.228)
Shiny hunters.
Viktor (01:00.352)
be exact more than 33 million phone numbers which contain account ID numbers, phone numbers and some other details like account status, device count etc. We know that so far it's... or should we say that? Sorry, should we continue with the broken authentication part?
Jeremy At Firetail (01:30.114)
No, we'll get to that in just a second here. There was one other interesting thing in there. There is an over the top column, which I have no idea what that means. I don't know if you do either.
Viktor (01:41.504)
yeah, over the top, I don't know, maybe there's some kind of counter in the backend systems that they're just, I don't know, maybe they're countering something, maybe a user overcame it, I don't know, to be honest.
Jeremy At Firetail (01:57.546)
Yeah, yeah, fair enough. I don't think anybody knows, but let's talk about the primary and secondary breach vector to the extent that we know it. It looks like this was an authentication issue.
Viktor (02:09.984)
Yeah, definitely an authentication issue. If the endpoint was supposed to be an authenticated endpoint, then definitely it was an issue of broken authentication. Also, with the fact that it wasn't properly rate -limited, the endpoint, meaning that the thread actor probably just...
spammed the endpoint to get the results and to leak all those details.
Jeremy At Firetail (02:40.81)
Yeah, but you mentioned that, you know, if the endpoint doesn't have authentication, that's definitely an authentication issue. But let's say it did have authentication and the threat actor is still able to get this data. That's also an authentication issue, right?
Viktor (02:58.208)
Yes, I mean...
If it was supposed to be authenticated and if it was actually authenticated and the actor got access to this amount, this kind of details and this kind of information, then it's also definitely an issue of authentication or more like an excessive exposure, an excessive data exposure, sorry. So, yeah, we really cannot know. The Twilio's report doesn't really say much.
Jeremy At Firetail (03:18.602)
Mm -hmm.
Viktor (03:30.322)
Yeah, so basically this is usually the way that APIs are really breached. It's based on authentication and endpoints being exposed or authenticated endpoints that do expose a lot of data that they shouldn't be.
Jeremy At Firetail (03:52.33)
Yeah, yeah, if you look at our state of API security report, you'll see that authentication and authorization are consistently number one and two, both in terms of the number of breach events and the number of records breached. So this is kind of nothing new from that perspective, right?
Viktor (04:09.408)
Yeah, no, definitely. It's also from my experience the number one issue.
So, yeah, even if it's like unauthenticated or even if it should be unauthenticated, you cannot really rely on whether an endpoint would be found or not or if it's behind an Android application, let's say, that someone cannot really see because anyone can really just see the app behind the front end and the calls that the app is making.
Jeremy At Firetail (04:45.002)
Yeah, I mean, any mobile app, it's very easy to find all of the calls that it's making, right? I always tell people if you want to understand everything that your phone is communicating with, just look on your home router device and look for all of the all of the logs, all of the network traffic logs, and you'll see, you know, if you're communicating with the backend service over your home Wi Fi network, all of that is being logged, you can find all of the endpoints right there. Security through obscurity, it's not
It's not really a valid strategy anymore.
Viktor (05:16.544)
Yeah, no, Android applications are generally smartphone applications. They're really just a fancy web app. That's the way I see them and test them.
Jeremy At Firetail (05:27.914)
Mm hmm. Yeah. So on the rack lack of rate limiting, I want to talk about that for a second, you know, rate limiting is often kind of called its own thing, but it's also included in the authentication controls, right?
Viktor (05:42.528)
Yeah, yeah, that's true. So we don't really know.
about this issue, whether it was a smash and grab thing, which means like, you know, throw a lot of data in it and then the API really just spits out the information without any sort of warning or any sort of rig limiting, or it was like a slow burn or a low and slow kind of approach where the attacker would take ages for them to finish all the, to collect all the data. But still,
it's an issue to not really be able to at least identify that something's going on. And this happened for more than 33 million records.
Jeremy At Firetail (06:26.154)
Yeah.
Jeremy At Firetail (06:30.342)
Yeah, yeah, it's quite surprising. And it's, you know, from my perspective, it's also a little bit scary that it's like multi -factor authentication because, you know, this is something that is designed as a security control to prevent breaches. And if you can breach the secure systems, that's not really great, especially knowing how many people use MFA through their mobile phones. And SIM swapping is proven to be a pretty big issue.
There have been many reports recently about staff at mobile phone companies being vulnerable to bribery. I think the going rate right now to pay for a SIM swap is around $300 on dark marketplaces to find somebody and say, hey, I just want to steal that phone number basically by posing as that person and then getting a SIM swap. So that's something that is pretty scary from my perspective.
I worry about MFA or I wonder about MFA because like MFA tends to be an API driven type of control, right?
Viktor (07:34.848)
Yeah, it's based basically on APIs and APIs are responsible for delivering and receiving basically the codes. So the MFA is as secure as the API that's supporting it.
Jeremy At Firetail (07:50.213)
Yep, yeah. I think that is a great note for us to unfortunately leave today's episode on. Brief episode just discussing this breach. Again, 33 million records breach on an MFA system. Top breach vector looks to be broken authentication. Just highlighting the importance and the continued relevance of API security in the modern web. Victor, thank you for taking the time to join us today on this Modern Cyber Breach Incident Report.
Viktor (08:15.808)
Thank you again, always a pleasure to be here.
Jeremy At Firetail (08:19.141)
Right.
