Enterprise communications firm Twilio has concluded its investigation into the recent data breach and revealed on Thursday that its employees were targeted in smishing and vishing attacks on two separate occasions.
On August 7, Twilio revealed that it had detected unauthorized access to information related to customer accounts a few days earlier. A probe revealed that the breach was a result of an SMS phishing (smishing) attack targeting the company’s employees.
At around the same time, Cloudflare said it had also been targeted and a few weeks later it came to light that the companies were targeted as part of a massive phishing campaign that hit over 130 organizations. The attackers appeared to be financially motivated.
Twilio has now concluded its investigation. The company says the attackers were locked out of its systems on August 9 and that only 209 of its more than 270,000 customers were impacted, as well as 93 of 75 million Authy end user accounts. There is no evidence that the threat actors accessed Twilio customer console account credentials, authentication tokens or API keys.
Twilio’s final report reveals that the same threat actor was likely also responsible for an attack that targeted the company in late June. The firm described it as a “brief security incident” that involved voice phishing (vishing). The attackers used social engineering to trick an employee into handing over their credentials, which they used to access the contact information of a limited number of customers.
Twilio claims the hackers’ access was identified and shut down within 12 hours. Impacted users were notified in early July.
The breach discovered in August was a result of a smishing attack launched in mid-July, which involved hundreds of text messages being sent to the phones of current and former Twilio employees. The messages appeared to come from IT administrators and urged recipients to click on a link that took them to a fake Okta login page.
Some employees took the bait and entered their credentials on the phishing sites. The hackers then used these credentials to access internal tools and applications that allowed them to obtain certain customer information.
Related: High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks
Related: Signal Discloses Impact From Twilio Hack
Related: Okta Says Customer Data Compromised in Twilio Hack
Related: Twilio, HashiCorp Among Codecov Supply Chain Hack Victims
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
