On Thursday 23rd February 2017, the security team at Twilio was notified about a problem with Cloudflare, one of our service providers. Cloudflare had identified a bug in their service that exposed customer data and some of it was cached in internet search engines such as Google, Bing and Yahoo. For more detail on the bug itself, please read the Cloudflare blog.
Before we get into detail, there are three important things you need to know.
Twilio and Authy are working closely with Cloudflare to understand the ongoing impact of the incident. According to Cloudflare, Authy data was not discovered in any known cache. However, we are nonetheless treating this incident as if we have been impacted.
There are two main concerns we have from this incident.
The greatest risk is that your API key is exposed, therefore you must login to the Authy administrative dashboard or console and rotate or generate a new API key. You also have the ability to revoke the old key immediately, as soon as you’ve updated your production systems with the new key. You can also configure a whitelist of fixed IP addresses from which your application communicates to the Authy API. In addition, we have terminated all open sessions to our dashboard, requiring you to sign in again.
We have created a short video showing how to rotate the keys and how to set the whitelist for IP addresses:
If you use the Authy app on iOS, Android or Chrome, all you need to do is start your Authy app, at which point it will communicate with our service and be told to regenerate its keys.
There are three kinds of data used in the app that are sent to our cloud service:
At the time of the publishing of this post, there is no evidence that Authy data was exposed as a result of the incident. We are continuing to work closely with Cloudflare and our customers to evaluate any impact. We are also monitoring our service to ensure customers are rotating API keys, and we will be reaching out to customers proactively to prompt them to do so.
As with any incident, we will examine the impact and work on a range of improvements to further mitigate situations like this going forward.
This notice is part of our commitment to transparency. As a security vendor, we take issues like this seriously. If you have any questions or concerns about this incident, the security of your user data or your account, please contact us at [email protected] or open a support ticket.