Twilio Suffers Data Breach

Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack. A hacker or group of hackers successfully tricked employees into giving up login credentials that attackers then used to steal third-party customer data.

The communications giant has 268,000 active customer accounts and counts companies like Airbnb, Box, Dell, Door Dash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk among its clients. Twilio also owns the popular two-factor authentication (2FA) service called Authy.

From the Twilio advisory:

"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.

The URLs used words including "Twilio," "Okta," and "SSO" to try and trick users into clicking on a link taking them to a landing page that impersonated Twilio's sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers."

Twilio, which is still investigating the hack, said it's working directly with impacted customers. It didn't disclose the scale of the attack, the number of employee accounts that were compromised, or the types of data that may have been accessed.

The SMS messages are said to have been sent to current and former employees masquerading as coming from its IT department, luring them with password expiry notifications to click on malicious links.

In the social engineer attacks, Twilio did not disclosed if the attacker encountered or bypassed any MFA (multi-factor authentication) roadblocks or if they bypassed any foundational access control technology.

"We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs," said Twilio.

According to Twilio, their security team revoked access to the compromised employee accounts to mitigate the attack. A leading forensics firm was engaged in aiding our ongoing investigation.