[darkr]

This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).

It took them two years to fix it.

[rvnx]

> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint

Isn’t it what you are describing?

[darkr]

Based on the reports that I’ve read so far, this vuln was different to the one I found, which was on an authenticated endpoint.

Definitely some similarities though, I’d love to see some concrete technical information on it.