Massive Authy leak, plus Proton Docs

FPF Logo for circles

Promoting press freedom in the 21st century

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

Freedom of the Press Foundation (CC BY 4.0)
Freedom of the Press Foundation (CC BY 4.0)

In the news

The parent company for Authy, an application for two-factor authentication, has issued a critical security update to its Android and iOS users. According to BleepingComputer, hackers utilized leaked phone numbers from past data breaches to identify up to 33 million Authy users. “This technique is similar to how threat actors abused an unsecured Twitter API and Facebook API to compile profiles of tens of millions of users that contain both public and non-public information.” Read more here.

We also want to spotlight Proton Docs — the latest member in the Proton ecosystem. As a privacy-preserving and end-to-end encrypted, collaborative document editor, Docs provides an alternative to Google Docs and Microsoft Word. If you are familiar with Proton Drive or are planning to migrate services, do try it!

Get Notified. Take Action.

What you can do

We regularly advise our readers about data breaches and targeted phishing attempts. Besides updating the Authy app, we anticipate that users could face SMS phishing and phone account hijacking attempts. Please consider these actions if you were affected by this data breach:

  • You might receive suspicious messages claiming to be from Authy or another sender. If you’re not expecting them, think twice before clicking on any unexpected links; they could potentially help an attacker bypass two-factor authentication and access your accounts.
  • If you are less confident in Authy, look at alternative 2FA applications such as Proton Pass and Google Authenticator. YubiKey provides a physical authentication method, utilizing a USB device instead of your phone number. Learn more about the multiple approaches to two-factor authentication.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,

Kevin

Kevin Pham

Digital Security Training Intern

Freedom of the Press Foundation

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Indicted NYC mayor forgets phone passcode

Eric Adams allegedly claimed that he had changed the passcode and told the FBI he did not remember it.

Discord boosts private call encryption

Discord announced its rollout of end-to-end encryption for voice and video calls in one-to-one and group direct messages, voice channels, and Go Live streams.

Apple seeks dismissal of NSO Group lawsuit

Apple has filed a motion to withdraw a lawsuit against NSO Group, an Israeli spyware company.