Twilio confirms data breach after its employees got phished

Cloud communications company Twilio has announced that some of it employees have been phished and that the attackers used the stolen credentials to gain access to some internal company systems and customer data.

What happened?

The attackers impersonated Twilio’s IT department and sent text messages to current and former Twilio employees, asking them to click on a link to update their passwords or check how their schedule has changed.

“The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page,” the company explained. By entering their Okta credentials and 2FA codes into the page, they effectively delivered them into the hands of the attackers.

The company does not say when the attack happened, only that they became aware of unauthorized access to information related to “a limited number” of Twilio customer accounts on August 4, 2022. What kind of information was accessed, the company didn’t say. It also did not say how many employees fell for the phishing scheme.

Affected customers have been notified and an outside forensic firm has been called in to help investigate the breach.

The attack was part of a larger campaign

Apparently, Twilio employees were not the only ones targeted by these attackers.

“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with [U.S.] carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs. Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks,” the company said.

According to Tech Crunch, the attackers tried the same tactics against employees of a U.S. internet company, an IT outsourcing company and a customer service provider.

“We have reemphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks,” Twilio said, but obviously even that wasn’t enough to prevent some employees getting fooled.

The company says they are also “examining additional technical precautions as the investigation progresses.” Let’s hope this means that – among other things – they will be switching to a 2FA option that can’t be phished (e.g., hardware authentication devices / physical security keys).

While the attackers are, as Twilio says, well-organized and methodical, the sophistication of this attack campaign is mostly revolves around the fact that the attackers were able to “match employee names from sources with their phone numbers.”

Twilio has previously suffered a data breach in April 2021, as a direct result of the Codecov supply chain compromise, and another security incident in July 2020 that resulted in attackers injecting malicious code into their TaskRouter JS SDK library.

UPDATE (August 9, 2022, 01:40 p.m. ET):

Cloudflare has shared that three of its 76 employees that were targeted in an attack “with very similar characteristics” to the one that that hit Twilio have been tricked by the phishers to enter their access credentials into an Okta-themed login phishing page.

But the attackers were ultimately unsuccessful, stymied by the fact that Cloudflare employees use physical security keys to provide the second authentication factor.

UPDATE (August 26, 2022, 04:20 p.m. ET):

“To date, our investigation has identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data was accessed without authorization for a limited period of time, and we have notified all of them,” Twilio said in an update on the situation.

“In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices to their accounts. We have since identified and removed unauthorized devices from these Authy accounts. We have contacted the 93 Authy users and provided them with additional guidance to protect their account, based on industry-accepted practices.”