Enterprise software vendor Twilio (NYSE: TWLO) has been hacked by a relentless threat actor who successfully tricked employees into giving up login credentials that were then used to steal third-party customer data.
The San Francisco company fessed up to the breach in an online notice that describes a sophisticated threat actor with clever social engineering skills and enough resources to switch carriers for ongoing text-based phishing attacks.
Twilio said the attack against its employee base succeeded in fooling some employees into providing their credentials. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” Twilio added.
The company did not provide details on the extent of the breach, how many customers were affected, or whether the stolen data was encrypted and secured.
Twilio, a powerhouse in the enterprise communication API business with 26 offices in 17 countries, described the incident as ongoing and warns that the threat actor is sophisticated enough to rotate through telco carriers and hosting providers with social engineering lures.
[ READ: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims ]
“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions,” Twilio said.
From the Twilio advisory:
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.
More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls.
The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.
[The] threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”
Twilio did not mention if the attacker encountered any MFA (multi-factor authentication) roadblocks or if any foundational access control technology was bypassed in the social engineer attacks.
“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs,” Twilio said.
However, despite this response, the company said the malicious hackers have continued to rotate through carriers and hosting providers to resume the attacks.
Twilio said its security team revoked access to the compromised employee accounts to mitigate the attack and has hired an external forensics firm to help with the investigation.
Related: Exposed Twilio SDK Abused for Malvertising Attack
Related: Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts
Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Skybox Security Raises $50M, Hires New CEO
- OpenSSL Ships Patch for High-Severity Flaws
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Sentra Raises $30 Million for DSPM Technology
- Saviynt Raises $205M; Founder Rejoins as CEO
Latest News
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- UN Experts: North Korean Hackers Stole Record Virtual Assets
