Following an employee SMS phishing attack, Twilio announces a data breach
According to cloud communications operator Twilio, hackers who broke into internal systems after acquiring staff credentials in an SMS phishing assault were able to access some of its customers’ data.
Twillio offers programmable voice, text, conversation, video, and email APIs that are used by over 10 million programmers and 150,000 businesses to create customer engagement platforms. Twillio has more than 5,000 employees working out of 26 offices in 17 countries.
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials,” Twilio said over the weekend.
“The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
The company also said that the attackers tricked and stole login information from a number of the employees who were the subject of the phishing event to obtain access to its systems.
When questioned about how many personnel had their account hacked in the phishing scam and how many clients were directly impacted, Katherine James, the EMEA Communications Director for Twilio, rejected to reveal more information, stating that the company has “no additional comment to provide at this time beyond what is posted in the blog.”
To accomplish this, they pretended to be Twilio’s IT department and instructed users to click URLs containing the keywords “Twilio,” “Okta,” and “SSO” to be redirected to a clone of the Twilio sign-in page.
By informing the employees of Twilio that their passwords had run out or were about to be changed, the SMS phishing messages tricked them into clicking the attached links.
“The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” Twilio said.
“Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”
The company is working in collaboration with law enforcement as part of the investigation, but it has not yet been able to identify the attackers.
Additionally, Twilio has started contacting customers who may have been impacted by this issue and has revoked the employee accounts that were compromised during the hack to deny the attackers access to its systems.
“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details,” Twilio also added.
The company also revealed in May 2021 that it had been affected by the supply-chain attack on Codecov that had occurred the previous year. Threat actors had altered the genuine Codecov Bash Uploader tool to acquire user tokens, secret keys, and credentials from Codecov clients.