Twilio has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy multi-factor authentication users, potentially making them vulnerable to SMS phishing and SIM swapping attacks.
Especially with such careless failures. If some employee was tricked through a well-planned social engineering attack, or they used some mega obscure day0 vulnerability, I’d not be happy, but shit happens, I guess.
But not sending my phone number when someone just posts some GET command to an API should be a no-brainer…
Goddammit, can companies stop leaking our shit everywhere please
Especially with such careless failures. If some employee was tricked through a well-planned social engineering attack, or they used some mega obscure day0 vulnerability, I’d not be happy, but shit happens, I guess. But not sending my phone number when someone just posts some GET command to an API should be a no-brainer…