Enterprise communications firm Twilio has concluded its investigation into the recent data breach and revealed on Thursday that its employees were targeted in smishing and vishing attacks on two separate occasions.
On August 7, Twilio revealed that it had detected unauthorized access to information related to customer accounts a few days earlier. A probe revealed that the breach was a result of an SMS phishing (smishing) attack targeting the company’s employees.
At around the same time, Cloudflare said it had also been targeted and a few weeks later it came to light that the companies were targeted as part of a massive phishing campaign that hit over 130 organizations. The attackers appeared to be financially motivated.
Twilio has now concluded its investigation. The company says the attackers were locked out of its systems on August 9 and that only 209 of its more than 270,000 customers were impacted, as well as 93 of 75 million Authy end user accounts. There is no evidence that the threat actors accessed Twilio customer console account credentials, authentication tokens or API keys.
Twilio’s final report reveals that the same threat actor was likely also responsible for an attack that targeted the company in late June. The firm described it as a “brief security incident” that involved voice phishing (vishing). The attackers used social engineering to trick an employee into handing over their credentials, which they used to access the contact information of a limited number of customers.
Twilio claims the hackers’ access was identified and shut down within 12 hours. Impacted users were notified in early July.
The breach discovered in August was a result of a smishing attack launched in mid-July, which involved hundreds of text messages being sent to the phones of current and former Twilio employees. The messages appeared to come from IT administrators and urged recipients to click on a link that took them to a fake Okta login page.
Some employees took the bait and entered their credentials on the phishing sites. The hackers then used these credentials to access internal tools and applications that allowed them to obtain certain customer information.
Related: High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks
Related: Signal Discloses Impact From Twilio Hack
Related: Okta Says Customer Data Compromised in Twilio Hack
Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
