Back to Blog

Security Notice: Administrative Database Policy on Minor Database

On January 13, 2016, Authy engineers identified an insecure access policy on a datastore serving an administrative application. The access policy made the datastore readable and writable by anonymous users on the public Internet.

The datastore did not contain any information about Authy customers, end users or billing information. It did not, and does not, contain any sensitive data such as credit card data, cryptographic keys, or other personal data for any Authy customer or end user.

The impacted datastore relates to the Authy service only. No Twilio data or systems were accessible or compromised.

It did contain encrypted data that could be used to access Authy administrative systems. Those systems were in turn also secured with Authy 2FA. All access to this system is highly monitored and an immediate and thorough forensic analysis of all administrative systems provided no indication that any illegitimate access occurred during the time the access policy was applied. This analysis is constant and ongoing as part of Authy’s own security procedures.

This notice is part of our commitment to transparency and as a security vendor, we take issues like this seriously. If you have any questions or concerns about this incident, the security of your user data or your account, please contact us at [email protected].

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.

We can text you a link to get started: