Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Twilio Hacked After Employees Tricked Into Giving Up Login Credentials

Enterprise software vendor Twilio (NYSE: TWLO) has been hacked by a relentless threat actor who successfully tricked employees into giving up login credentials that were then used to steal third-party customer data.

Enterprise software vendor Twilio (NYSE: TWLO) has been hacked by a relentless threat actor who successfully tricked employees into giving up login credentials that were then used to steal third-party customer data.

The San Francisco company fessed up to the breach in an online notice that describes a sophisticated threat actor with clever social engineering skills and enough resources to switch carriers for ongoing text-based phishing attacks.

Twilio said the attack against its employee base succeeded in fooling some employees into providing their credentials. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” Twilio added.

The company did not provide details on the extent of the breach, how many customers were affected, or whether the stolen data was encrypted and secured.

Twilio, a powerhouse in the enterprise communication API business with 26 offices in 17 countries, described the incident as ongoing and warns that the threat actor is sophisticated enough to rotate through telco carriers and hosting providers with social engineering lures.

[ READ: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims ]

“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions,” Twilio said.

From the Twilio advisory:

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.

The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.

[The] threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio did not mention if the attacker encountered any MFA (multi-factor authentication) roadblocks or if any foundational access control technology was bypassed in the social engineer attacks.

“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs,” Twilio said.

However, despite this response, the company said the malicious hackers have continued to rotate through carriers and hosting providers to resume the attacks.

Twilio said its security team revoked access to the compromised employee accounts to mitigate the attack and has hired an external forensics firm to help with the investigation.

Related: Exposed Twilio SDK Abused for Malvertising Attack

Related: Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts

Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...