Twilio Suffers Data Breach via SMS Phishing Attack

12 August 2022

Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack. A hacker or group of hackers successfully tricked employees into giving up login credentials that attackers then used to steal third-party customer data.

The communications giant has 268,000 active customer accounts and counts companies like Airbnb, Box, Dell, Door Dash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk among its clients. Twilio also owns the popular two-factor authentication (2FA) service called Authy.

From the Twilio advisory:

"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.

The URLs used words including "Twilio," "Okta," and "SSO" to try and trick users into clicking on a link taking them to a landing page that impersonated Twilio's sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers."

Twilio, which is still investigating the hack, said it's working directly with impacted customers. It didn't disclose the scale of the attack, the number of employee accounts that were compromised, or the types of data that may have been accessed.

Twilio SMS Breach

The SMS messages are said to have been sent to current and former employees masquerading as coming from its IT department, luring them with password expiry notifications to click on malicious links.

In the social engineer attacks, Twilio did not disclosed if the attacker encountered or bypassed any MFA (multi-factor authentication) roadblocks or if they bypassed any foundational access control technology.

"We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs," said Twilio.

According to Twilio, their security team revoked access to the compromised employee accounts to mitigate the attack. A leading forensics firm was engaged in aiding our ongoing investigation.

Why Do You Need Our Services

SafeAeon's 24×7 SOC operates ceaselessly to watch over, identify, and counter cyber attacks, ensuring your business remains resilient and unharmed

Watchguard It Infrastructure

24/7 Eyes On Screen

Rest easy with SafeAeon's continuous vigilance for your IT infrastructure. Our dedicated security analysts ensure prompt threat detection and containment.

Cybersecurity Price

Unbeatable Prices

Access cutting-edge cybersecurity products through SafeAeon's unbeatable deals. Premium solutions at competitive prices for top-tier security.

Threat Intelligence

Threat Intelligence

Stay ahead with SafeAeon's researched Threat Intelligence Data. Clients enjoy free access for informed and proactive cybersecurity strategies.

IT Team

Extended IT Team

Seamlessly integrate SafeAeon with your IT team. Strengthen controls against risks and threats with expert recommendations for unified security.

Ready to take control of your Security?

We are here to help

Reach out to schedule a demo with our team and learn how SafeAeon SOC-as-a-Service can benefit your organization