Twilio Hacked After Employees Tricked Into Giving Up Login Credentials

Enterprise software vendor Twilio (NYSE: TWLO) has been hacked by a relentless threat actor who successfully tricked employees into giving up login credentials that were then used to steal third-party customer data.

The San Francisco company fessed up to the breach in an online notice that describes a sophisticated threat actor with clever social engineering skills and enough resources to switch carriers for ongoing text-based phishing attacks.

Twilio said the attack against its employee base succeeded in fooling some employees into providing their credentials. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” Twilio added.

The company did not provide details on the extent of the breach, how many customers were affected, or whether the stolen data was encrypted and secured.

Twilio, a powerhouse in the enterprise communication API business with 26 offices in 17 countries, described the incident as ongoing and warns that the threat actor is sophisticated enough to rotate through telco carriers and hosting providers with social engineering lures.

[ READ: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims ]

“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions,” Twilio said.

From the Twilio advisory:

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.

The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.

[The] threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio did not mention if the attacker encountered any MFA (multi-factor authentication) roadblocks or if any foundational access control technology was bypassed in the social engineer attacks.

“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs,” Twilio said.

However, despite this response, the company said the malicious hackers have continued to rotate through carriers and hosting providers to resume the attacks.

Twilio said its security team revoked access to the compromised employee accounts to mitigate the attack and has hired an external forensics firm to help with the investigation.

Related: Exposed Twilio SDK Abused for Malvertising Attack

Related: Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts

Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims