Twilio customer data breached in SMS phishing attack

By , on
Twilio customer data breached in SMS phishing attack

Cloud communications giant Twilio said it was hacked via a phishing attack on its employees with the cyber criminals gaining access to some customers’ data.

With more than 150,000 customers which includes Facebook, the American Red Cross, Airbnb, Lyft, and a slew of IT giants like Dell Technologies and Salesforce, San Francisco-based Twilio said it is notifying the affected customers on an individual basis.

“Once Twilio confirmed the incident, our security team revoked access to the compromised employee accounts to mitigate the attack,” said Twilio in a security blog post today.

“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details,” the company said.

“If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.”

The cyber attacker has yet to be identified.

Twilio declined to say the number of customers who have been affected or to provide details on what exact data was accessed by the hackers.

The phishing attack

On August 4 United States time, Twilio became aware of unauthorised access to information related to a limited number of Twilio customer accounts, through a sophisticated social engineering attack designed to steal employee credentials.

Unknown hackers used SMS phishing messages that purporting to having been sent by Twilio’s IT department.

Sample Twilio phishing text
Sample Twilio phishing text

The messages claimed that the employee password had expired or that something in their work schedule had changed and advised the staffer to log in by going to a web site that the attackers had created and controlled.

The URLs used words like ‘Okta’, referring to the identity and access management firm and ‘SSO’ (single sign on) to trick users into clicking on the link.

The broad-based attack against Twilio employees succeeded in fooling some staffers into providing their credentials.

The attackers then used the stolen credentials to gain access to some of Twilio’s internal systems, where they were able to access certain customer data.

“We continue to notify and are working directly with customers who were affected by this incident,” Twilio said.

“We are still early in our investigation, which is ongoing,” the company added.

Twilio said the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.

The cloud communications company, which enables customers to build SMS and voice capabilities including two-factor authentication into applications, said the threat actors were well-organised, sophisticated and methodical in their actions.

Once the incident was confirmed, Twilio’s security teams revoked access to the compromised employees to halt the attack.

A leading forensics firm was engaged to aid Twilio’s ongoing investigation.

However, the company has yet to discover who conducted the successful attack.

“We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts,” Twilio said.

"It pains us to have to write this"

Since the attack last week, Twilio said it has reemphasized its security training to ensure employees are on high alert for social engineering attacks, and has issued security advisories on the specific tactics being utilized by malicious actors.

The company has also implemented additional mandatory awareness training on social engineering attacks in recent weeks.

Twilio said its also examining additional technical precautions as the investigation progresses.

“Trust is paramount at Twilio, and, we know the security of our systems is an important part of earning and keeping your trust.

"We sincerely apologize that this happened,” the company said.

“While we maintain a well-staffed security team using modern and sophisticated threat detection and deterrence measures, it pains us to have to write this note,” it added.

The company will perform an extensive post-mortem on the incident and begin “instituting betterments to address the root causes” of the compromise.

“We thank you for your business, and are here to help impacted customers in every way possible,” Twilio said.


Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles