Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website on Monday, including the same statement.
Contact Us
Do you have more information about this Twilio/Authy incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.
Tobac explained that now hackers can specifically target people who they know are Authy users, giving the attackers a chance to make it look like their malicious messages really come from Authy and Twilio.
In 2022, Twilio suffered a larger data breach, when a group of hackers accessed the data of more than 100 company customers. The hackers then launched a wide-ranging phishing campaign which resulted in the theft of around 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said hackers successfully targeted 93 individual Authy users and were able to register additional devices on those victims’ Authy accounts, allowing them to effectively steal real two-factor codes.
UPDATE, 12:52 p.m. ET: This story has been corrected to clarify that the 2022 Twilio breach is not directly connected to the phishing campaign that resulted in the theft of around 10,000 employee credentials of several companies. The two attacks were allegedly carried out by the same threat actors.
A group of researchers say they have uncovered a series of security flaws in different 5G basebands — essentially processors used by cell phones to connect to mobile networks — which could have allowed hackers to stealthily hack victims and spy on them.
The researchers from Pennsylvania State University presented their findings at the Black Hat cybersecurity conference in Las Vegas on Wednesday, as well as in an academic paper.
Using a custom-made analysis tool they called 5GBaseChecker, the researchers uncovered baseband vulnerabilities made by Samsung, MediaTek, and Qualcomm, which are used in phones made by Google, OPPO, OnePlus, Motorola, and Samsung.
The researchers are Kai Tu, Yilu Dong, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Weixuan Wang, Tianwei Wu, and Syed Rafiul Hussain. On Wednesday, they released 5GBaseChecker on GitHub so that other researchers can use it to hunt for 5G vulnerabilities.
Hussain, an assistant professor at Penn State, told TechCrunch that he and his students were able to trick phones with those vulnerable 5G basebands into connecting to a fake base station — essentially a fake cell phone tower — and from there launch their attacks.
Tu, one of the students, said that their most critical attack allowed them to exploit the phone from that fake base station. At that point, Tu said, “the security of 5G was totally broken.”
“The attack is totally silent,” Tu added.
Tu explained that by taking advantage of the vulnerabilities they found, a malicious hacker could pretend to be one of the victim’s friends and send a credible phishing message. Or by directing the victim’s phone to a malicious website, the hacker could trick the victim into providing their credentials on a fake Gmail or Facebook login page, for example.
The researchers were also able to downgrade a victim from 5G to older protocols like 4G or even older ones, making it easier to eavesdrop on the victim’s communications, said Tu.
The researchers said that most vendors they contacted have fixed the vulnerabilities. At the time of writing, the researchers identified and got patched 12 vulnerabilities in different 5G basebands.
Samsung spokesperson Chris Langlois said in a statement to TechCrunch that the company had “released software patches to affected smartphone vendors to address and resolve this matter,” while Google spokesperson Matthew Flegal also confirmed that the flaws were now fixed.
MediaTek and Qualcomm did not respond to a request for comment.
A group of researchers say they have uncovered a series of security flaws in different 5G basebands — essentially processors used by cell phones to connect to mobile networks — which could have allowed hackers to stealthily hack victims and spy on them.
The researchers from Pennsylvania State University presented their findings at the Black Hat cybersecurity conference in Las Vegas on Wednesday, as well as in an academic paper.
Using a custom-made analysis tool they called 5GBaseChecker, the researchers uncovered baseband vulnerabilities made by Samsung, MediaTek, and Qualcomm, which are used in phones made by Google, OPPO, OnePlus, Motorola, and Samsung.
The researchers are Kai Tu, Yilu Dong, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Weixuan Wang, Tianwei Wu, and Syed Rafiul Hussain. On Wednesday, they released 5GBaseChecker on GitHub so that other researchers can use it to hunt for 5G vulnerabilities.
Hussain, an assistant professor at Penn State, told TechCrunch that he and his students were able to trick phones with those vulnerable 5G basebands into connecting to a fake base station — essentially a fake cell phone tower — and from there launch their attacks.
Tu, one of the students, said that their most critical attack allowed them to exploit the phone from that fake base station. At that point, Tu said, “the security of 5G was totally broken.”
“The attack is totally silent,” Tu added.
Tu explained that by taking advantage of the vulnerabilities they found, a malicious hacker could pretend to be one of the victim’s friends and send a credible phishing message. Or by directing the victim’s phone to a malicious website, the hacker could trick the victim into providing their credentials on a fake Gmail or Facebook login page, for example.
The researchers were also able to downgrade a victim from 5G to older protocols like 4G or even older ones, making it easier to eavesdrop on the victim’s communications, said Tu.
The researchers said that most vendors they contacted have fixed the vulnerabilities. At the time of writing, the researchers identified and got patched 12 vulnerabilities in different 5G basebands.
Samsung spokesperson Chris Langlois said in a statement to TechCrunch that the company had “released software patches to affected smartphone vendors to address and resolve this matter,” while Google spokesperson Matthew Flegal also confirmed that the flaws were now fixed.
MediaTek and Qualcomm did not respond to a request for comment.
Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website on Monday, including the same statement.
Contact Us
Do you have more information about this Twilio/Authy incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.
Tobac explained that now hackers can specifically target people who they know are Authy users, giving the attackers a chance to make it look like their malicious messages really come from Authy and Twilio.
In 2022, Twilio suffered a larger data breach, when a group of hackers accessed the data of more than 100 company customers. The hackers then launched a wide-ranging phishing campaign which resulted in the theft of around 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said hackers successfully targeted 93 individual Authy users and were able to register additional devices on those victims’ Authy accounts, allowing them to effectively steal real two-factor codes.
UPDATE, 12:52 p.m. ET: This story has been corrected to clarify that the 2022 Twilio breach is not directly connected to the phishing campaign that resulted in the theft of around 10,000 employee credentials of several companies. The two attacks were allegedly carried out by the same threat actors.
Last week, a hacker claimed to have stolen 33 million phone numbers from U.S. messaging giant Twilio. On Tuesday, Twilio confirmed to TechCrunch that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.
In a post on a well-known hacking forum, the hacker or hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users.
Twilio spokesperson Kari Ramirez told TechCrunch that the company “has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.”
“We have seen no evidence that the threat actors obtained access to Twilio’s systems or other sensitive data. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks,” Ramirez wrote in an email.
Twilio also published an alert on its official website on Monday, including the same statement.
Contact Us
Do you have more information about this Twilio/Authy incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
While obtaining a list of phone numbers — on its own — may not appear to be the most dangerous of data breaches, it could still pose a threat to the owners of those numbers.
“If attackers are able to enumerate a list of user’s phone numbers, then those attackers can pretend to be Authy/Twilio to those users, increasing the believability in a phishing attack to that phone number,” Rachel Tobac, an expert in social engineering and CEO of SocialProof Security, told TechCrunch.
Tobac explained that now hackers can specifically target people who they know are Authy users, giving the attackers a chance to make it look like their malicious messages really come from Authy and Twilio.
In 2022, Twilio suffered a larger data breach, when a group of hackers accessed the data of more than 100 company customers. The hackers then launched a wide-ranging phishing campaign which resulted in the theft of around 10,000 employee credentials from at least 130 companies. As part of that breach at the time, Twilio said hackers successfully targeted 93 individual Authy users and were able to register additional devices on those victims’ Authy accounts, allowing them to effectively steal real two-factor codes.
UPDATE, 12:52 p.m. ET: This story has been corrected to clarify that the 2022 Twilio breach is not directly connected to the phishing campaign that resulted in the theft of around 10,000 employee credentials of several companies. The two attacks were allegedly carried out by the same threat actors.
Just like battery-electric cars 20 years ago, hydrogen fuel cell cars suffer from the old chicken and the egg problem. Nobody wants to buy a fuel cell vehicle until the supporting infrastructure is in place, but it’s tough to invest in infrastructure when nobody owns a fuel cell vehicle.
Honda says it’s playing the long game with a lofty goal in mind. The company says it will sell only zero-emission vehicles by 2040 with a fleet of battery electric and fuel cell vehicles. Honda intends to take that plan one step further by being a net-zero carbon emissions company, across all of its products and facilities, by 2050.
To get there, Honda is investing in both the chicken and the egg.
The egg is the new 2025 Honda CR-V e:FCEV — a hydrogen fuel cell vehicle I spent the day driving and that will soon be available for lease in California. As wild as it sounds to launch a hydrogen fuel cell vehicle in a country with little to no infrastructure, Honda has hedged its bet with this particular egg.
The chicken is Honda’s strategy toward hydrogen.
Honda sees four ways to apply the second-generation hydrogen fuel cell: in consumer and commercial fuel cell vehicles, in stationary power stations and in construction machinery. The latter two demand power for long durations, in theory growing the demand for hydrogen and thus encouraging better infrastructure.
“We are doing this to advance the hydrogen economy, because somebody has to,” Jay Joseph, VP Sustainability and Business Development at Honda said referring to the company’s broad plan.
The 2025 Honda CR-V e:FCEV is one slice of that hydrogen pie. The company is also testing other applications of the fuel. It uses a 576 kW hydrogen-powered generator as a backup to the grid- and solar-powered data center at Honda headquarters in Torrance, California. Honda is also readying a Class 8 fuel cell semi-truck as a proof-of-concept here in the United States.
A Honda CR-V with a twist
Image Credits: Honda
Honda is not new to the hydrogen fuel cell game. The company first brought a fuel cell car into the world in 2003 with the fleet-only FCX. A few years later, we got the FCX Clarity and finally in 2016 the Clarity Fuel Cell was introduced.
Here we are some eight years later and Honda is putting a hydrogen fuel cell into its popular CR-V crossover, but with a bit of a twist.
The e:FCEV can run just on hydrogen, but it also has a 17.7 kWh battery good for 29 miles of all-electric range. Yep, this CR-V is a plug-in hybrid that replaces the internal combustion engine with a hydrogen fuel cell.
I mean, look– Honda isn’t stupid. It knows that hydrogen supplies are, shall we say, volatile. California’s largest public supplier of hydrogen, True Zero, recently hiked its prices by 20%. Shell just shut down its hydrogen stations and of the 50 or so stations remaining, many are plagued by unexpected outages or a total lack of fuel.
Adding that plug as a backup not only mitigates some of the stress over fueling, but it’s also more efficient for the kind of driving done by many fuel cell owners. Honda learned that Clarity Fuel Cell owners usually drove very short distances, five or 10 miles at a time, and a hydrogen fuel cell isn’t the most efficient on quick trips. Using electrons from a small battery makes sense.
Behind the wheel
The 2025 Honda CR-V e:FCEV is equipped with an electric motor that produces 174 horsepower and 229 pound-feet of torque, numbers that are a bit less than the standard hybrid model. You can drive the car on EV-only or as a hybrid, letting the hydrogen kick in when more torque is asked for. Drivers can also save the juice in the battery to use later or charge the battery on the go.
On a quick drive at Honda HQ I spent my time in hybrid, or Auto, mode and it drove, well, just fine.
This may be a hydrogen fuel cell vehicle, but it drove like any other EV. There are modes for Econ, Normal, Snow and Sport. I immediately switched it to that last one but didn’t feel any noticeable difference in steering or throttle response. However, Sport mode carried over my preferred regen braking settings. In Normal, the brakes defaulted to the friction brakes at every slow down, which was annoying. I want my free electrons, dammit!
When everything is charged up and the hydrogen tank is full, the CR-V has a range of 270 miles. Honda says the small battery can be charged in less than two hours on a Level 2 charger, but it will take about 10 hours on a standard household outlet. And yes, you can take power out of your car if necessary, so when there’s a power outage you’ll still be able to run small home appliances or charge your Honda Motocompacto electric scooter.
The good news here is that Honda has said it will subsidize hydrogen for CR-V e:FCEV. While the company has yet to go into specifics, it did give Clarity Fuel Cell owners $15,000 or 36 months’ worth of free fuel. I wouldn’t expect this to carry over to the hydrogen-powered crossover.
Fuel cells: A love story
The CR-V’s carbon fiber hydrogen tank can hold a total of 4.3 kilograms of the gas. Those hydrogen atoms really want to hang out with incoming oxygen atoms. Like, they love each other with a passion only seen on the cover of bawdy romance novels. When they get together, it’s hot, baby, hot. So hot that electrons are emitted. They come off and say, “Hey, let’s keep this party going!”
They go to the Electric Motor disco and dance around, making the motor spin, which propels the front wheels of the CR-V and gets you to work or the store or wherever you’re going.
In other words, a fuel cell produces energy through a chemical reaction and that energy is used to power an electric motor.
2025 Honda CRV e:FCEV inside and out
The Honda CR-V e:FCEV is on the left, while the standard Honda CR-V hybrid is on the right. Image Credits: Emme Hall
The e:FCEV looks a lot like the standard CR-V, but those with sharp eyes will notice a few key differences. The hydrogen car has unique front and rear fascias, bigger front overhangs and a wider grille opening.
I dig the clear taillight lenses in the e:FCEV as well as the gloss-black 18-inch wheels. That gloss-black is echoed in the side mirrors as well.
Inside there is a push-button gear selector, even though the only gears to select are Drive and Reverse. Materials are all eco-friendly, with faux leather seats and steering wheel. The fuel cell CR-V has a 10.2-inch digital gauge cluster with all the power-delivery information your nerdy brain could possibly want.
While overall passenger volume remains the same, cargo space is negatively impacted by the hydrogen tank. Honda has made the area behind the rear seats a bit more usable with a two-tiered design with a movable panel. The engineer I talked to said it allows him to carry an extra large Costco pizza when it is affixed in the topmost position, which frankly is one of the best design inspirations I’ve ever heard. It also acts as a cover to keep more expensive items out of sight of thieving eyes.
Image Credits: Honda
The e:FCEV comes as a Touring trim, minus the sunroof. You can expect power and heated front seats and a heated steering wheel, as well as wireless charging, USB-A and -C ports and a bumping 12-speaker Bose audio system. The Honda Sensing suite of driver’s aids is standard here as is a nine-inch touchscreen with wireless Apple CarPlay and Android Auto. You’ll also get two color options: white or gray.
Currently, folks have only the Toyota Mirai to cross shop and there’s a lot to like about the little hydrogen fuel cell runabout. First off, it’s a sedan and will appeal to those who want something a bit smaller. Further, it has around 400 miles of range. Techies in a Mirai who run the Los Angeles-San Francisco route can do it in one tank of hydrogen. Those who try it in a CR-V will have to depend on the single hydrogen station on the journey, plunked down amidst farmland and next to an airstrip. Hey, at least you can fill the tank in less than five minutes.
The range might be enough to entice early adopters to the Toyota side — you can even purchase a Mirai outright if that’s your jam — but the added bonus of having a battery backup on the CR-V should appeal to those who want just a little bit of range assurance.
The 2025 Honda CR-V e:FCEV will be available to lease in California this summer and single drivers will get that coveted carpool lane sticker. The company only expects to lease 300 or so of these hydrogen-powered vehicles, but again it’s playing the long game, gambling that hydrogen will help it obtain its zero-emission goals over the next 25 years or so.
