We are aware of a small number of Authy users reporting that tokens were added to their account without their consent. To be clear, our investigation so far indicates that neither Twilio nor the Authy API/mobile/desktop apps have been hacked or experienced any interruptions in operations.
Twilio has shut down the tokens involved for violating our terms of service, and removed them from all identified user accounts. Our teams are in the process of gathering information and investigating the incident.
The enrollment of phone numbers via the Authy API is a standard feature, and is not a work around or circumvention of Authy controls. An enrolled number doesn’t allow an app to access PII or other sensitive information via this method.