Twilio Suffers Data Breach via SMS Phishing Attack

12 August 2022

Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack. A hacker or group of hackers successfully tricked employees into giving up login credentials that attackers then used to steal third-party customer data.

The communications giant has 268,000 active customer accounts and counts companies like Airbnb, Box, Dell, Door Dash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk among its clients. Twilio also owns the popular two-factor authentication (2FA) service called Authy.

From the Twilio advisory:

"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.

The URLs used words including "Twilio," "Okta," and "SSO" to try and trick users into clicking on a link taking them to a landing page that impersonated Twilio's sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers."

Twilio, which is still investigating the hack, said it's working directly with impacted customers. It didn't disclose the scale of the attack, the number of employee accounts that were compromised, or the types of data that may have been accessed.

Twilio SMS Breach

The SMS messages are said to have been sent to current and former employees masquerading as coming from its IT department, luring them with password expiry notifications to click on malicious links.

In the social engineer attacks, Twilio did not disclosed if the attacker encountered or bypassed any MFA (multi-factor authentication) roadblocks or if they bypassed any foundational access control technology.

"We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs," said Twilio.

According to Twilio, their security team revoked access to the compromised employee accounts to mitigate the attack. A leading forensics firm was engaged in aiding our ongoing investigation.

Why you need our services

SafeAeon’s 24×7 Security Teams work around the clock to monitor, detect, and respond to cyberattacks before they have the chance to impact your business.

24x7 eyes-on-screen Monitoring

Our 24×7 SOC-as-a-Service ensures security is monitored around the clock by actual humans.

Protect your organization

SafeAeon’s 24×7 Security Teams work around the clock to monitor, detect, and respond to cyberattacks before they have the chance to impact your business.

Vendor Agnostic Approach

Fully Customized to your unique requirements. Our vendor agnostic team supports all the industry leading security solutions

Managed Risk & Compliance

Compliance with standards like PCI, HIPAA, SOX, GLBA, FFIEC, NERC CIP, CMMC and FISMA

Ready to take control of your Security?

We are here to help

Reach out to schedule a demo with our team and learn how SafeAeon SOC-as-a-Service can benefit your organization