I use Authy for some secure logging in. Yesterday, twice on two separate occasions when I wasn't online (let alone using Authy), I got text notifications from Authy with a two-step verifcation code.
That's something, to my knowledge, that only happens when I'm trying to log on to certain websites.
Would that have been someone (or a system/whatever) trying to access my account info? Or would that just be a glitch generating those codes out of the blue?
@sexybenfranklin@gerowen
So what's odd is that Authy doesn't seem to have a password, per se.
I have the app on my phone, which is just on when I tap on it, no login required.
It's only when I go to settings that it prompts a PIN code, but even in those settings, there's nowhere to change a password.
And looking at their website, there's no login option, either. It's only downloadable, which I'm assuming would effectively be like the app on my phone.
I've contacted them to explain what happened and to ask what I should be doing about it and I'm waiting to hear back.
I've been using it for so long I don't even recall if they need a password, but it would be weird if they didn't. Yet I don't have one saved in my password manager, and there's no evident way to log out, in order to prompt it demonstrating it needs a password to log in.
All it seems to have to get anywhere inside is the PIN code, which is... weird.
@reay I would assume it was somebody trying to log into those accounts and change their passwords just to be safe. If you're getting a 2FA code then it means they probably have your password in order to get that far, so even though the 2FA did its job, I would change the password just to be safe. You might also be able to check security logs to see login activity and see if there has been anything suspicious, especially around the time you got those messages.
@gerowen@sexybenfranklin So yes, Authy support agreed with your collective takes on this and suggested changing the passwords of every website I use Authy with for 2FA.
I did that and voila, no more random texts asking for authorization.
All of which means at least one of those sites had the primary password hacked. It was just the 2FA in place that prevented someone/something from logging in as me. No mean feat, since they were already long and randomized passwords.
I've since changed and lengthened other passwords, too, and am currently waiting on a callback from my phone carrier about potential SIM swapping (another Authy support desk suggestion). I checked my banking details and blah -- changed those passwords, too -- and haven't seen anything suspicious, but of course I wouldn't, necessarily. Happily those are 2FA as well. But still.
Now to help further lock down my wife and daughter's accounts, as well...
@reay@sexybenfranklin Glad you're getting it all squared away and that changing your passwords got the messages to stop. If you were using good passwords then it's probably the case that some service provider wasn't hashing them properly and got compromised. If you haven't looked already, #HaveIBeenPwned has a website where you can punch in an email address or phone number and it'll return all the data breaches they know about that contain that information.
@gerowen@sexybenfranklin Haven’t checked for being breached in a while, but evidently I should. Thanks for the reminder.
And happy to say no evidence of SIM swapping on the carrier’s end, as well. No access, or changes, to my account. And they send texts plus emails out whenever an account change is made, so I would’ve heard about anything being attempted.
@reay@gerowen you'd 100% know if you had been sim swapped, you wouldn't have been able to use your data or texts on your phone. Glad to hear it wasn't that though
Add comment