Qui la risposta di Authy sul caso:

https://www.authy.com/blog/security-...leed-incident/


Google Authenticator tokens that users have scanned and backed up to the Authy cloud service. Tokens are encrypted in the app using a key derived from the user-typed password, and the tokens are sent to us and securely stored. The password is never stored in Authy and therefore was never at risk from being exposed. Our general guidance, however, would be for users to re-enroll their Google Authenticator tokens at each site they use.