Twilio Customer Data Breached By SMS Phishing Attack

A ‘sophisticated’ SMS phishing attack on Twilio employees allowed hackers to access some customer data. Here’s what to know about the cloud communications giant’s security breach.


Twilio provided a sample of one of the SMS phishing messages to its employees.

Cloud communications giant Twilio said it was hacked via a phishing attack on its employees with the cyber criminals gaining access to some customers’ data.

With more than 150,000 customers—including the likes of Facebook, the American Red Cross, Airbnb, Lyft, as well as a slew of IT giants like Dell Technologies and Salesforce— San Francisco-based Twilio said it is notifying the affected customers on an individual basis.

“Once Twilio confirmed the incident, our security team revoked access to the compromised employee accounts to mitigate the attack,” said Twilio in a security blog post today.

Sponsored post

“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details,” the Seattle-based company said. “If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.”

[Related: Aviatrix CEO On Post-Broadcom VMware Layoffs And Why On-Prem Market Is ‘The Titanic Going Down’]

The cyber attacker has yet to be identified.

Twilio declined to say the number of customers who have been affected or to provide details on what exact data was accessed by the hackers.

The Phishing Attack

On Aug. 4, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

The hackers used SMS phishing messages that falsely came from Twilio’s IT department, suggesting that the employee password had expired or that something in their work schedule had changed. Then, it advised the employee to log in using a fake web address that the attackers created and controlled.

The URLs used words like ‘Okta’ — referring to the San Francisco-based identity and access management firm — and ‘SSO’ to trick users to clicking on the link.

The broad-based attack against Twilio employees succeeded in fooling some into providing their credentials.

The attackers then used the stolen credentials to gain access to some of Twilio’s internal systems, where they were able to access certain customer data.

“We continue to notify and are working directly with customers who were affected by this incident,” said Twilio. “We are still early in our investigation, which is ongoing.”

Twilio said the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.

Twilio: ‘We Have Not Identified The Specific Threat Actors

The cloud communications company, which enables customers to build SMS and voice capabilities including two-factor authentication into applications, said the threat actors were well-organized, sophisticated and methodical in their actions.

Once the incident was confirmed, Twilio’s security teams revoked access to the compromised employees to halt the attack.

A leading forensics firm was engaged to aid Twilio’s ongoing investigation.

However, the company has yet to discover who conducted the successful attack.

“We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts,” said Twilio.

‘It Pains Us To Have To Write This’

Since the attack last week, Twilio said it has reemphasized its security training to ensure employees are on high alert for social engineering attacks, and has issued security advisories on the specific tactics being utilized by malicious actors.

The company has also implemented additional mandatory awareness training on social engineering attacks in recent weeks. Twilio said its also examining additional technical precautions as the investigation progresses.

“Trust is paramount at Twilio, and, we know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened,” said the company. “While we maintain a well-staffed security team using modern and sophisticated threat detection and deterrence measures, it pains us to have to write this note.”

The company will perform an extensive post-mortem on the incident and begin “instituting betterments to address the root causes” of the compromise.

“We thank you for your business, and are here to help impacted customers in every way possible,” Twilio said.

Twilio said it will post additional updates on Twilio’s incident report blog if there are any changes or updates.