The world’s largest provider of communications services, Twilio, has revealed that hackers were successful in obtaining employee login information to access client data.
The San Francisco-based business, which enables customers to integrate phone and SMS features like two-factor authentication (2FA) into applications, disclosed in a blog post on Monday that it learned on August 4 that someone had “unauthorized access” to data pertaining to some Twilio client accounts.
More than 150,000 businesses, including Facebook and Uber, use Twilio’s services.
The company claims that an as-yet-unidentified threat actor persuaded a number of Twilio employees to provide their login information, allowing access to the business’ internal systems.
The assault made use of SMS phishing messages that appeared to be from Twilio’s IT department and encouraged the target to check in using a faked web address that the attacker controls, alleging that the employees’ passwords had expired or that their schedules had changed.
According to Twilio, the attackers used phrases like “Okta” and “SSO,” which stand for single sign-on, to make the messages appear legitimate. Many businesses use this method to safeguard access to their internal apps. (Earlier this year, Okta experienced a breach that allowed hackers access to its internal systems.) In addition to working with registrars and hosting companies to take down the fraudulent URLs used in the campaign, Twilio claimed it collaborated with American carriers to halt the malicious messages.
The threat actors, though, the business claimed, appeared unaffected. According to a blog post by Twilio, “despite this response, the threat actors have persisted to shift across carriers and hosting providers to resume their attacks.” We have grounds to assume the threat actors are well-organized, smart, and deliberate in their actions based on these facts.
Since then, TechCrunch has found that the same perpetrator also created phishing pages imitating other businesses, including a U.S. internet provider, an IT outsourcing firm, and a customer service provider. However, it is presently unknown what impact, if any, these actions had on these companies.
When contacted, Twilio spokesperson Laurelle Remzi declined to specify the number of customers impacted or what data the threat actors had access to. According to Twilio’s privacy statement, the data it gathers includes addresses, payment information, IP addresses, and, in certain situations, identification documentation.
Since the hack, according to Twilio, it has revoked access to the accounts of the affected employees and improved security awareness training to make sure staff members are on “high alert” for social engineering attempts. The business announced that it has started reaching out to affected clients individually.
