Communications giant Twilio has confirmed that it suffered another cyber security incident perpetrated by the same threat actors responsible for the June 2022 attack, which gave access to customer information through a Smishing campaign.
As part of a review of the August attack, the San Francisco tech company revealed they were victims of a security breach where the same threat actor group gained unauthorized access to a limited number of customer information.
When Did the Initial Attack Occur?
Twilio has revealed that a threat actor group “socially engineered” some of its employees and used their credentials to access Twilio’s customer’s information. Although the access was revoked within 12 hours of the incident, the impact was severe, and customers were informed of the breach.
How Much Customer Data was Accessed?
In August 2022, the same attackers launched a second attack, which gave them access to 209 Twilio customers’ data and 93 Authy app users (an authentication service) data. Twilio keeps 270,000 customer data, while Authy has more than 70 million users. The communications software provider has confirmed that according to their investigation, the last unauthorized activity detected on their systems was on August 9th, 2022. They have assured stakeholders that those responsible for the attacks didn’t “access Twilio customers’ console account credentials, authentication tokens, or API keys.”
How did Twilio’s August Ransomware Attack Happen?
The hackers in July sent hundreds of “Smishing” texts to current and former Twilio employees. They presented themselves as members of the Twilio IT department, asking employees to click a link to reset their passwords. The smishing link redirects to a fake page impersonating the Twilio login page where some employees entered their company login credentials. The hackers then used the harvested credential to access Twilio networks and steal customer data.
Who Was Responsible for the Breach?
This data breach is part of a more extensive series of attacks by a ransomware group known as “Oktapus.” The threat actors have targeted over 100 companies, which are mostly organizations based in the US. The threat actors also target other organizations like US retail giants, financial industry organizations, and mobile phone providers.
How Can Twilio Improve Their Access Management in the Future?
To reduce the risk of cyber incidents in the future Twilio will be distributing FIDO2– compliant security keys to all of its employees and implementing mandatory cyber security awareness training for all its employees. The organization also planned to strengthen its current VPN systems
