Enterprise software vendor Twilio (NYSE: TWLO) has been hacked by a relentless threat actor who successfully tricked employees into giving up login credentials that were then used to steal third-party customer data.
The San Francisco company fessed up to the breach in an online notice that describes a sophisticated threat actor with clever social engineering skills and enough resources to switch carriers for ongoing text-based phishing attacks.
Twilio said the attack against its employee base succeeded in fooling some employees into providing their credentials. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” Twilio added.
The company did not provide details on the extent of the breach, how many customers were affected, or whether the stolen data was encrypted and secured.
Twilio, a powerhouse in the enterprise communication API business with 26 offices in 17 countries, described the incident as ongoing and warns that the threat actor is sophisticated enough to rotate through telco carriers and hosting providers with social engineering lures.
[ READ: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims ]
“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions,” Twilio said.
From the Twilio advisory:
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.
More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.
The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.
[The] threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”
Twilio did not mention if the attacker encountered any MFA (multi-factor authentication) roadblocks or if any foundational access control technology was bypassed in the social engineer attacks.
“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs,” Twilio said.
However, despite this response, the company said the malicious hackers have continued to rotate through carriers and hosting providers to resume the attacks.
Twilio said its security team revoked access to the compromised employee accounts to mitigate the attack and has hired an external forensics firm to help with the investigation.
Related: Exposed Twilio SDK Abused for Malvertising Attack
Related: Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts
Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
- Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
- Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day
- Cloud Forensics Startup Mitiga Completes $45M Series A
- Blackbaud Fined $3M For ‘Misleading Disclosures’ About 2020 Ransomware Attack
- Cado Security Banks $20M in Series B Funding
Latest News
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
