Cloud communications company Twilio says customer accounts have been accessed after employees fell victim to a “sophisticated social engineering attack designed to steal employee credentials.”
They then “used the stolen credentials to gain access to some of our internal systems.”
The San Francisco-based company (which is listed on the NYSE) has 275,000 customers.
“The threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack” the company said on August 7.
Twilio is potential goldmine for hackers. It owns Authy, an multi-factor authentication (MFA) app dubbed the world’s best by the New York Times earlier this year for “the best combination of compatibility, usability, security, and reliability” and provides an API that allows other companies to bake MFA into their applications.
The Twilio hack comes after fellow authentication provider Okta was hacked earlier this year — an incident that triggered an outcry over Okta’s response. While Twilio has been swift in responding, the casual customer or homepage browser would have to rummage around its site for a while before finding the advisory.
Twilio hacked – How it happened
Numerous Twilio employees received text messages purporting to be from its IT department.
Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and directed them to malicious URLs that included words like “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page.
Twilio said: “We have reemphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago. We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”
The company has a good track record on transparency — responding in detail to an upstream attack in early 2021 that saw hackers clone some of its GitHub repositories and steal some customers’ emails. That incident was the result of a software supply chain attack on code analysis firm Codecov that also affected Hashicorp, amongst many other companies. It this week: “Trust is paramount at Twilio, and, we know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened. While we maintain a well-staffed security team using modern and sophisticated threat detection and deterrence measures, it pains us to have to write this note. We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately. We thank you for your business, and are here to help impacted customers in every way possible.”