Twilio Faces Another Security Incident with Customer Data Compromised
This week, communication services provider Twilio reported a security breach that occurred on June 29, 2022, attributed to the same group responsible for a significant breach in August 2022. The company revealed that unauthorized access to customer information was achieved through social engineering tactics, specifically voice phishing, or “vishing,” where a Twilio employee was manipulated into disclosing their credentials.
In its advisory, Twilio noted that the access gained during this incident was detected and contained within 12 hours. Customers affected by the breach were informed on July 2, 2022. However, Twilio has not disclosed the exact number of customers impacted nor the reasons for the delay in reporting this incident.
The San Francisco-based company indicated that the second breach was part of a larger issue, noting an increase in the number of customers affected from 163 in August to 209, along with a marked increase in compromised Authy users from 93. Twilio, which caters to over 270,000 customers with its personalized customer engagement software, has approximately 75 million users of its Authy two-factor authentication service.
Despite the breach, Twilio has stated that there is no evidence to suggest that the attackers accessed critical customer information, including console account credentials, authentication tokens, or API keys. The last observed unauthorized activity on their platforms was recorded on August 9, 2022.
In response to the growing threat landscape, Twilio is implementing enhanced security measures. This includes distributing FIDO2-compliant hardware security keys to all employees and instituting additional controls within its VPN. The company is also conducting compulsory security training aimed at increasing awareness of social engineering threats among its workforce.
The attack has been linked to a notorious hacking group identified by cybersecurity firms Group-IB and Okta, known as 0ktapus and Scatter Swine. This group has been implicated in a broader campaign that targets various sectors, including software, telecommunications, finance, and education. Their methodologies include identifying employee mobile numbers and utilizing rogue SMS or phone calls to direct them to counterfeit login pages, ultimately harvesting credentials for further attacks.
Estimates suggest that as many as 136 organizations have fallen victim to this campaign, including notable names like Klaviyo, MailChimp, DigitalOcean, and Signal. Additionally, there was a failed attempt targeting Cloudflare.
In analyzing the tactics employed in this incident, it is evident that the attackers utilized methods outlined in the MITRE ATT&CK Framework, including techniques for initial access through social engineering and credential harvesting. This underscores the persistent risks businesses face in safeguarding their data and relationships with customers amidst evolving cyber threats.
As Twilio navigates the repercussions of this incident, it serves as a stark reminder for business owners of the critical importance of robust cybersecurity practices and employee training programs to mitigate risks associated with social engineering attacks.
