Authy got hacked, and 33 million user phone numbers were stolen

'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.

Red Shazam

I realized long time ago that I don't want my 2FA be tied to my phone number. And then i found you can't export your data from Authy because they know they are scummy fucks and don't want to anyone to leave

Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?

Unfortunately I can't use aegis on iOS/windows, does keepass have this functionality?

lol. I am glad I became privacy conscious before this happened.

did they have 2fa on?

welp

Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.

Does anyone have a suggested alternative for authy? (Please read the whole post before responding)

I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:

Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.

At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.

I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.

Edit: added emphasis

Why does it require a phone number to use?!

I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.

Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.

Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.

Stop. Trusting. Cloud/SAAS. Security. Apps.

Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.

Don't give them your personal details, they don't care about protecting user anonymity.

Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create honeypots catnip for hackers, and making you pay them for the privilege of being an easy target.

Edit: I've been using "honeypot" wrong. It would actually be good if the hackers tried to hack one of those.

Weren't they hacked last time? Is this old news or a new hack they never learned from?

Bell curve meme:

Grug: A file on my computer (/Desktop/passwords.txt) Matty Midwit: Cloud connectivity! Phone numbers! Biometrics! Just install the app! Less than a cup coffee per month! Backed by FAGMAN^TM! The monk: A file on my computer (KPXC)

I hate, hate, hate that companies force 2FA on me just because goddamn Susans use ‘password’ as their password on every goddamn fucking app. My passwords are safe. They’re long and they contain ALL THE CHARACTER CLASSES. Fuck off with your fucking 2fa!