Twilio Says It Suffered Another Data Breach This Past Summer

In a newly reported attack, an employee was socially engineered via voice phishing -- or “vishing” – the company says

Cloud communications company Twilio was actually breached twice, not once, this past summer as a result of phishing attacks that combined led to the access of hundreds of customers’ data.

In August, Twilio announced that its internal systems had been breached that month after hackers stole employee credentials in an SMS phishing attack, also known as a “smishing” attack.

In an update on Thursday, Twilio said it and a forensic firm had conducted an “extensive investigation” into the August incident and confirmed the attack vector was indeed via compromised employees’ credentials.

[RELATED STORY: The 10 Biggest Data Breaches of 2022 (So Far)]

“In mid-July 2022, malicious actors sent hundreds of smishing (SMS phishing) text messages to the mobile phones of current and former Twilio employees,” the company wrote in its new update.

“The malicious actors posed as Twilio IT or other administrators and urged users to click on what appeared to be password-reset and other links. The links led to fake Okta login pages for Twilio. These fake pages were hosted on domains created by the malicious actors, such as twilio-sso.com, twilio.net, twilio.org, sendgrid-okta.org, twilio-okta.net, and twilio-okta.com.”

The update added: “Some Twilio employees entered their credentials on these fake pages. The malicious actors then used the credentials of these Twilio employees to access internal Twilio administrative tools and applications to access certain customer information, which we have detailed in previous blog posts on the incident.”

But Twilio, in its new blog entry, revealed that there had been an earlier “vishing” attack and breach this past summer.

“Our investigation also led us to conclude that the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022,” the company said on its blog this week.

“In the June incident, a Twilio employee was socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers. The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022.”

Twilio representatives could not be reached for further comment about the June and August incidents.

In its latest blog post, Twilio appeared to minimize the severity of the major ‘smishing’ attack.

The company said that “209 customers – out of a total customer base of over 270,000 – and 93 Authy end users – out of approximately 75 million total users – had accounts that were impacted by the incident.”

The blog post added: “There is no evidence that the malicious actors accesed Twilio customers’ console account credentials, authentication tokens, or APIs.”

The company said it has finished reaching out to impacted customers.

To prevent or mitigate similar smishing and vishing attacks in the future, Twilio said it has implemented a number of new policies, including adopting stronger two-factor authentication processes.

In conclusion, the company added: “We’d like to apologize to our customers for the incidents. We have talked to hundreds of customers, conveyed our regrets, and described our ongoing efforts to improve.”