2 min read

Twilio reveals hackers compromised its systems a month earlier than previously thought

Graham CLULEY

October 31, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Twilio reveals hackers compromised its systems a month earlier than previously thought

Readers will recall that cloud communications firm Twilio disclosed on August 7 2022 that hackers had accessed user data following a sophisticated social engineering attack that saw employees targeted with SMS-phishing ("smishing") text messages.

Attackers sent current Twilio staff and former employees SMS text messages that purported to come from the company's IT department, telling them that their passwords had expired.

Clicking on the link in the messages had taken unsuspecting individuals to a fake Twilio login page, where they entered their credentials and allowed hackers to gain access to customer data.

Now, following the conclusion of an investigation into that incident, Twilio has revealed that the same malicious hackers had tricked an employee into providing their password through a voice-phishing attack on June 29 2022:

"Our investigation also led us to conclude that the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022. In the June incident, a Twilio employee was socially engineered through voice phishing (or ‘vishing’) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers."

Of course, it matters little if a security incident was "brief" or not, if your attackers manage to get away with the information that they wanted.

And there are still some troubling things to read in Twilio's incident report.  For instance, the company first announced that it had suffered a security breach on August 7 2022, but has only this week disclosed that it "last observed unauthorised activity" on its systems a full two days later on August 9.

Concluding its investigation into the breaches, Twilio says that 209 customers and 93 end users of its Authy two-factor authentication app had their accounts impacted by the attack.

The attacks against Twilio were part of a much larger campaign, dubbed "0ktapus" by security researchers, that compromised over 130 organisations.

The encrypted messaging service Signal, for instance, reported that approximately 1,900 of its users could potentially have been affected as a result of the Twilio breach, although their message history and contact lists would have remained safe.

Twilio says it has taken steps to reduce the efficacy of smishing and vishing attacks in future, by putting in place additional security measures including:

  • Implementing stronger two factor precautions and distributing FIDO2 tokens to all employees;
  • Implementing additional layers of control within our VPN;
  • Removing and limiting certain functionality within specific administrative tooling;
  • Increasing the refresh frequency of tokens for Okta-integrated applications;
  • Conducting supplemental mandatory security training for all employees regarding attacks based on social engineering techniques.

Twilio says it is "very disappointed and frustrated" about the incident, and has apologised to customers.  It says it is "making long term investments to continue to earn back the trust of our customers."

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Authorities Dismantle iSpoof Criminal Phone Spoofing Operation, Arresting 142 Authorities Dismantle iSpoof Criminal Phone Spoofing Operation, Arresting 142
Vlad CONSTANTINESCU

November 25, 2022

1 min read
975 Arrested by Interpol Over Phishing, Romance Scams, Sextortion and Investment Fraud 975 Arrested by Interpol Over Phishing, Romance Scams, Sextortion and Investment Fraud
Filip TRUȚĂ

November 25, 2022

2 min read
How SIM Swapping Attacks Work and How to Protect Yourself How SIM Swapping Attacks Work and How to Protect Yourself
Filip TRUȚĂ

November 25, 2022

3 min read