Bell curve meme:
Grug: A file on my computer (/Desktop/passwords.txt) Matty Midwit: Cloud connectivity! Phone numbers! Biometrics! Just install the app! Less than a cup coffee per month! Backed by FAGMAN^TM^! The monk: A file on my computer (KPXC)
Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.
The problem is so many services requiring SMS to be that second factor. From what I've heard it's easy enough to steal a sim that if you're being explicitly targeted it's basically the same as no second factor. Yet even if using an authenticator app most services require you to still have SMS/phone as another option for the 2FA.
For Authy specifically they'd need to guess your master password and then hijack your phone number, and for users of Authy I suspect their passwords are not easily guessed as it's already a step above the standard SMS only 2FA most services require.
did they have 2fa on?
Of course. It was on the office phone that gets passed around to whichever tech is on call. The on-call tech left it at Mcdonalds accidentally.
Weren't they hacked last time? Is this old news or a new hack they never learned from?
I realized long time ago that I don't want my 2FA be tied to my phone number. And then i found you can't export your data from Authy because they know they are scummy fucks and don't want to anyone to leave
You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.
Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file
People keep acting like Authy is betraying them by not having an export feature, but why exactly are you leaving Authy to begin with? Because they are a security risk?
You're gonna leave Authy a copy of your seeds? That defeats the purpose.
Re-key your MFA codes on the way out. Security isn't necessarily convenient.
Remind me to start a batch rekeying service.
They got rid of the desktop app.
Also, with shouldn't have your seeds. They're encrypted before they are transmitted to their servers and only decrypted on the device.
then i found you can't export your data from Authy
Exporting data from a 2FA app sounds like the opposite of secure. Not to mention you don't want your 2FA codes on Authy (or any other 2FA app) to remain valid if you're not using it.
When I switched from Google Authenticator to Authy years ago, I went through each 2FA-enabled account one by one to disable 2FA and then re-enable it using Authy. It's a long process depending on how many accounts you have 2FA enabled on, but it's worth it.
Reading the OP, looks like it's time to generate new keys for all my 2FA accounts.
If you can't export / save / transfer codes then you need to regenerate all your 2fa codes every time you switch to a new device.
2FA doesn't need to be infallible, it just needs to be a second factor.
Red Shazam
Wow, it's literally the shazam logo, flipped horizontally and red.
Wonder who got paid to make that logo?
'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.
Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.
You know it's bad when people recommend something made by Google over it.
Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.
lol. I am glad I became privacy conscious before this happened.
Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?
Unfortunately I can't use aegis on iOS/windows, does keepass have this functionality?
Bitwarden would be my vote
KeePassXC does have this functionality on desktop as well as on SOME android apps (no idea for iOS). For android I like KeePass2Android Offline, iirc it was recommended on the official KeePassXC website (you may want to check it out).
This is a most excellent place for technology news and articles.
