- Twilio announced that in mid-July 2022, malicious actors sent hundreds of smishing text messages to the mobile phones of current and former Twilio employees.
- The threat actors managed to compromise user credentials by leading them to fake pages hosted on domains created by malicious actors.
- The investigation unveils that 209 customers and 93 Authy end users had accounts that were impacted by the incident.
In late summer, Twilio announced a data breach incident that caused attackers to steal customer information data from the company. The company has finally wrapped up its investigation and published a final update to the blog post. According to the final announcement, it was not the first time that the same threat actors managed to steal data.
SMS phishing
According to the announcement, in mid-July 2022, actors sent hundreds of SMS phishing, also known as Smishing, messages to current and former employees. The attackers impersonating the Twilio IT team or other administrators urged employees to click on a link, which looks like a pass-reset link. The links that lead to fake pages were hosted on domains such as twilio-sso.com, twilio.net, twilio.org, sendgrid-okta.org, twilio-okta.net, and twilio-okta.com.
After some employees entered their credentials on these fake websites, those credentials were acquired by actors and used to access internal Twilio administrative tools and applications to access certain customer information. Those actors likely were responsible for a security incident occured on June 29. In that incident, an employee was socially engineered through voice phishing to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers.
The company managed to identify and eradicate the threat actors within 12 hours and notified the customers whose information was impacted by the June incident on July 2. The investigation into the Smishing Incident found the following:
- The last observed unauthorized activity in our environment was on August 9, 2022;
- 209 customers, out of a total customer base of over 270,000, and 93 Authy end users, out of approximately 75 million total users, had accounts that were impacted by the incident; and
- There is no evidence that the malicious actors accessed Twilio customers’ console account credentials, authentication tokens, or API keys.
Upon discovering the unauthorized access to our systems, Twilio took a number of actions to eradicate the malicious actor’s access during the Smishing Incident, including:
- Resetting credentials of the compromised Twilio employee user accounts;
- Revoking all active sessions associated with the compromise of Okta-integrated apps;
- Blocking all indicators of compromise associated with the attack; and
- Initiating takedown requests of the fake Twilio domains.
To prevent or mitigate the efficacy of similar smishing and vishing attacks in the future, Twilio has also implemented a number of additional security measures, including:
- Implementing stronger two factor precautions and distributing FIDO2 tokens to all employees;
- Implementing additional layers of control within our VPN;
- Removing and limiting certain functionality within specific administrative tooling;
- Increasing the refresh frequency of tokens for Okta-integrated applications;
- Conducting supplemental mandatory security training for all employees regarding attacks based on social engineering techniques.
Twilio said,
« We’d like to apologize to our customers for the incidents. We have talked to hundreds of customers, conveyed our regrets, and described our ongoing efforts to improve. We deeply appreciate the understanding and support that customers have shown, and we’ve shared our commitment to do better. We are seeing immediate benefits from the significant enhancements we have made to our security posture, and are making long term investments to continue to earn back the trust of our customers. »