Telephone fraud by a criminal hacker showing Twilio hack from vishing attack

Culprit Behind Twilio Hack Traced to Earlier Vishing Attack That Nabbed Employee Credentials

An investigation into an August smishing attack on Twilio has turned up a connection to an earlier vishing attack. It appears that the culprit behind the August Twilio hack also managed to penetrate the company in June in a separate incident that exposed a much smaller amount of customer contact information.

Two Twilio hacks in three months linked to the same threat actor

The August Twilio hack stemmed from a campaign that peppered employees with SMS messages, eventually convincing one to visit a fraudulent login page. The investigation into this incident was recently concluded, and the company has found that the same attacker was responsible for a smaller breach in June. That earlier incident involved a different approach, however; a vishing attack (voice phishing) that was able to convince an employee of the company to give up their login credentials over the phone.

The June vishing attack window reportedly lasted for only about 12 hours and provided the attackers with access to a “limited” amount of customer information. Those that were impacted were notified in July, but the link to the August attack is new. The August Twilio hack was apparently launched shortly after customers were notified of the first attack, with the hacker changing their approach to pose as a member of the company’s IT staff and attempt to get employees to enter credentials into a fake Okta login portal.

The final report also includes some new information about the August incident. While that later Twilio hack was thought to be much more damaging, the investigation found that it also impacted relatively few customers; just 209 of the company’s 270,000 accounts, and 93 of its roughly 75 million Authy service end users. The most newsworthy item that came from the August Twilio hack was the follow-up breach of Signal, but the privacy messaging service reported only seeing one successful incident of an account being re-registered to a new device (and only three in total were targeted in this way).

Twilio has since reset the credentials of any employees that were compromised in either of the attacks, and is in process of distributing FIDO2 hardware security keys to all of its employees as a two-factor authentication method. The company also said that it is adding layers of protection to its company VPN, and retool certain administrative functions and Okta-integrated applications, and that the smishing and vishing attacks did not provide the threat actors with access to customer credentials or authentication tokens.

Vishing attacks becoming more popular with hackers

The culprit behind the Twilio hacks is referred to as “0ktapus” (sometimes also called “Scatter Swine”), due to their focus on stealing Okta logins as an initial entry point. Not much is known about these threat actors as of yet, but the Twilio hacks were part of a larger ongoing campaign that targeted 130 organizations. While 0ktapus mostly used SMS messages leading to fake Okta login pages in this campaign, its sporadic use of vishing attacks is part of a general uptick in profit-seeking criminal hackers turning back to phone calls and old-fashioned social engineering.

Both SMS and vishing attacks are taking some of the market share from phishing emails, which to date have generally been the primary method that ransomware and other criminal gangs use to make first contact with targets. One of the drivers of this trend, somewhat ironically, is the increase in use of two-factor authentication and login approval prompts sent to employee phones. Organizations are generally relying more on text messages as a communications means as the share of remote work has greatly increased over the last two years, and attackers are taking advantage of the fact that employees are becoming more adjusted to seeing company text messages related to security matters appearing on their phones.

A recent study conducted by KnowBe4 found that vishing attacks have jumped 625% from Q1 2021 to Q2 2022, and another study from Proofpoint found that 69% of companies have now experienced an attempted attack of this nature (up from 54% in 2020). There are several factors contributing to this rise. One is an increase in the popularity of fake employment schemes, something that North Korea’s state-backed hackers famously employed to get access to the Ronin blockchain network and steal over $600 million. Engineers and IT staff with privileged access can potentially be baited with a well-crafted fake job offer, which in some cases goes so far as fake interviews.

Vishing attacks are also adding more sophisticated “hybrid” elements that appear to be upping success rates for criminals. One example is the use of a spoofed email from some trusted brand or source with a contact number in the body, with threat actors waiting to play the role of a customer service agent when the number is called.

Investigation into the August Twilio hack was recently concluded, and the company has found that the same attacker was responsible for a #vishing attack that led to a smaller #databreach in June. #cybersecurity #respectdataClick to Tweet

Oliver Pinson-Roxburgh, CEO of, notes that it is important for organizations to keep abreast of these increasingly complex trends in social engineering as criminals will re-use a proven method many times: “This latest security incident at Twilio, which used a phone phishing attack, is a timely reminder that it’s not just suspicious emails or texts people need to be on alert for. Hackers are adaptable and will use a host of different platforms to psychologically manipulate users into handing over access to sensitive information. Social engineering attacks like this remain a highly cost-effective and impactful way for hackers to keep employees off balance, and breach company systems; all it takes is one person to fall for it to make it worth their time. While this was only a minor breach of a few hundred users, social engineering attacks have the potential to be a far bigger threat for businesses. It targets the weakest point in any organisation’s cyber defences, the human element. The most cutting-edge technology securing your digital infrastructure is rendered virtually useless if employees are not adequately educated in the dangers of social engineering attacks and how to avoid them. People at every level of any organisation must be cyber aware and vigilant of the threat. If they are, the greatest weakness can quickly become the best line of defence.”


Senior Correspondent at CPO Magazine