Authy got hacked, and 33 million user phone numbers were stolen - eviltoast
  • maryjayjay@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    6 months ago

    You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.

    Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file

    • Todd Bonzalez@lemm.ee
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      6 months ago

      People keep acting like Authy is betraying them by not having an export feature, but why exactly are you leaving Authy to begin with? Because they are a security risk?

      You’re gonna leave Authy a copy of your seeds? That defeats the purpose.

      Re-key your MFA codes on the way out. Security isn’t necessarily convenient.

        • Todd Bonzalez@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          6 months ago

          I can’t even begin to stress what a terrible idea that is. You absolutely don’t want to make bulk-rekeying possible unless you like getting all of your accounts compromised at once.

          • can@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            If there’s a benefit to such a tool would bad actors have already developed one?

      • maryjayjay@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        They got rid of the desktop app.

        Also, with shouldn’t have your seeds. They’re encrypted before they are transmitted to their servers and only decrypted on the device.