Topic: Twilio's Authy 2FA app has been breached. (Read 364 times)

This is why I prefer no login/sign-ups unless absolutely necessary and prefer encrypted backups (although, I keep these backups on cloud); this way even if cloud service were to get breached (always expect worse, no matter how secure they call themselves) and hacker were to get access to my file, nothing would happen since they would require password to access the content and it's password that only I know.

If they can guess the password, they deserve all the monies

p.s: I use Aegis myself, and make encrypted backups.

If you want to save passwords and TOTP than you have the option of using KeePass password manager and some of it's forks like KeePassXC and KeePassDX for mobile devices.
I think that Aegis is still better option if you want to use it only for TOTP, but both of them are good open source options.
Everything is stored and encrypted locally and there is no use of cloud services aka computer of someone else.

You should read the reviews of other members from this thread about Google Authenticator. While it's a good feature of Authy and probably other 2FA apps that it can link to Google Authenticator, we have to be careful at most times as these breaches aren't simple things to ignore.

Based on this update: https://www.twilio.com/en-us/changelog/Security_Alert_Authy_App_Android_iOS
You have to update to the latest software updates, iOs and android.

my favourite one is Google authentication you lose your phone and everything gone I don't knew it was hacked  thank you for letting me knew I used couple of authenation there , what I love about authy is that it provide linking it with Google but these news of sensitive information leaked I still can't believe it, but do I need to change the key and password I am wondering what can I do more ??

I do the same thing as you, just as i back up my seed phrases on paper, i also manage my passwords or any sensitive data on paper. However, for some reasons i know some people may not like the idea of writing their passwords on paper, so i also recommend open source password managers to them, i.e. KeePass, but for now i am yet to see a need to use them, since paper and pen works fine for me.

I stick to the old proven methods of pen and paper, along with some of my own ideas on how to protect such data even if someone were to get hold of it. In the decades I've been using computers and the internet, I've never had a case of someone hacking me - that's why I'll always trust myself more than any program or application that might do its job, but I still think I'm safer without such help.

I totally understand your feeling. I wonder, however, how do you manage your passwords and TOTP secrets (if you have them), could you share what is your methodology? There are also offline programs that you can use (such as KeePassXC[1]) that eliminate the risk that exists in having your vault sent to the cloud...

---

[1]https://keepassxc.org/

I have never used such apps because I simply never considered them safe, just as I do not consider my smartphone to be a safe device, regardless of all the security measures. At some point, all these programs and apps, instead of preventing risks, turn into risks.

I've used both and I would recommend both (be aware that Aegis is just a TOTP generator, it can't hold any passwords). Bitwarden has the possibility that you can self-host it but you have to consider what is safer : Are you able to provide a more secure environment than Bitwarden infrastructure? If you are then you should run your own version so that you are in full control. Otherwise you will just have to trust that Bitwarden will protect your encrypted vault better than you would. They use AES-CBC 256-bit encryption for your vault and PBKDF2 SHA-256 to make a derivation of your private key[1] (using 200,001 rounds both on the server side and client side) so it ends up being better than the encryption implemented by Authy (which is almost the same, but it only uses 1000 rounds[2]). The integration of the TOTP within the app works really well and if you have the browser extension running then it is a seamless experience when you are logging in to any service. Do note that you only have access to TOTP integration if you pay their premium plan - which I consider quite affordable at $10 per year - plus you'll also get 1GB of encrypted file storage and access to Bitwarden Send[3] for both text and files.

If it was me what would allow me to rest better at night would be a combination of the two - Bitwarden for my password needs and then Aegis for my TOTP needs. Like I said to TryNinja I wouldn't feel safe having all of them stored in Bitwarden - if by any random chance a malicious actor would gain access to my vault then he/she would have total control of my accounts.

---

[1]https://bitwarden.com/help/what-encryption-is-used/
[2]https://authy.com/blog/how-the-authy-two-factor-backups-work/
[3]https://bitwarden.com/products/send/

To be honest, I'm not sure how it works when it asks for personal mobile numbers because other 2FAs don't work like that. But still, those that have it need to be careful.

Yeah, it's aegis that's being used by the reputable people here and suggesting to use it. People should avoid using Google Auth and Authy nowadays.

That seems to be the only threat but still, once these bad actors got people's numbers. They'll pass it on to the others and who knows what else they can do. As for bitwarden, I guess that I've read that in some other recommendations but haven't really used it. So aside from aegis, there goes bitwarden. I do hope that the others are reading this thread for their reference.

I actually consider moving, i already downloaded aegis and bitwarden. I remember some people here recommends using aegis as their 2fa manager. I would love to hear thoughts on those who have experienced of using of both app (aegis and bitwarden).

Whatever road that Raivo is about to follow, considering all those shady updates, for sure it will take the wrong turn. If not now, it will come eventually. Perhaps it is indeed better for you to consider another TOTP provider.
I understand your fears - if a malicious actor gains access to your Bitwarden account then he/she has total access to your accounts because both your passwords and TOTP's are generated there. Perhaps consider other open source options for the TOTP codes?

Yes, I'm on iOS.

But now that I closely check the links, I found a comment with a screenshot that looks like iOS and had the payment screen. Maybe they reverted it? https://www.reddit.com/r/apple/comments/1d402za/raivootp_iphone_2fa_app_sold_latest_update/l6cttvm/

I might just migrate everything to Bitwarden, didn't do it before because I prefer to keep my passwords and TOTP separated (I already use them as password manager), but idk...

Bear in mind that this was not the first breach that Authy suffered. There have been a few already[1][2] and, to my books, more than 1 would be enough to convince me that they are not worth to have my data, let alone considering the type of service that they offer. Again, this is purely by personal opinion. The fact that you have to rely on a "non official" tool to export your 2FA codes[3][4] is just ridiculous and shows how deep they want you to be locked in to their app.
I have used Bitwarden in past so if you need help just let me know and I'll try to help you.

---

[1]https://www.twilio.com/en-us/blog/august-2022-social-engineering-attack
[2]https://www.engadget.com/twilio-authy-data-breach-202314313.html
[3]https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93
[4]https://help.ente.io/auth/migration-guides/authy/

I'm one if their users lol. If the only concern is those future spam sms and phishing attempts it's useless, unless the security was breach to the extent that malicious attackers hold those confidential security data then i'll consider myself to migrate to other app.

Talking about to migrate, whoever have the experience of using Bitwarden, saw it as recommendation from the comments in that article posted in OP.

Are you using iOS by any chance? The conversation on GitHub that logfiles presented has a reference where it says that the paywall isn't present (yet?) on the iOS application, so perhaps they are starting out in the Android market to see how it reacts before going into Apple market?

That's weird. I have never seen that screen at all, even if I open the app right now there is no option to buy any pro version. Maybe it's only for new users? App is also up to date with no new versions on the app store.

They did. In fact, the app was acquired by Mobime and things took quite a twist. I don't think it's the same app as it used to be

From the month of June, they have had so many negative reviews due to an update they messed up user OTP codes.

1. https://apps.apple.com/us/app/raivo-authenticator/id1459042137
2.RaivoOTP iPhone 2FA app sold. Latest update removes access to existing TOTP tokens
3. https://github.com/raivo-otp/ios-application/releases

4. I don't think it's open source and non-commercial any more - https://github.com/raivo-otp/marketing-website/pull/22


Well, that's how good apps get ruined overnight.

I am not an iOS user but someone posted that Ravio developers has stopped developing the app. Is that true? Although, if you use it offline, I do not think that would of any problem.

best 2FA app for IOS?

Since I joined this forum, I have read on many post that Tofu is also good for iOS users. I even saw a post about it by Leo before he left this forum.

I used both andOTP and Authy back in the day, I no longer access or need any of the services that's was linked to them though. This reinforces my idea that if a service requests for personal information like email or phone numbers when you create an account, using a burner number and email is the best privacy option.