Security Notice: Administrative Database Policy on Minor Database

On January 13, 2016, Authy engineers identified an insecure access policy on a datastore serving an administrative application. The access policy made the datastore readable and writable by anonymous users on the public Internet.

The datastore did not contain any information about Authy customers, end users or billing information. It did not, and does not, contain any sensitive data such as credit card data, cryptographic keys, or other personal data for any Authy customer or end user.

The impacted datastore relates to the Authy service only. No Twilio data or systems were accessible or compromised.

It did contain encrypted data that could be used to access Authy administrative systems. Those systems were in turn also secured with Authy 2FA. All access to this system is highly monitored and an immediate and thorough forensic analysis of all administrative systems provided no indication that any illegitimate access occurred during the time the access policy was applied. This analysis is constant and ongoing as part of Authy’s own security procedures.

This notice is part of our commitment to transparency and as a security vendor, we take issues like this seriously. If you have any questions or concerns about this incident, the security of your user data or your account, please contact us at [email protected].