Cloud communication giant Twilio confirmed a data breach after a successful SMS phishing attack targeting its employees’ credentials.
Twilio said a few employees fell for the social engineering attack, exposing the credentials of a limited number of its employee accounts. The threat actor used the stolen credentials to compromise Twilio’s internal systems and access certain customer data. Twilio says the data breach impacted at least 125 customers.
With over 5,000 employees in 17 countries, Twilio offers a programmable API interface for text, email, voice, and video. The company supports more than 150,000 businesses and 10 million developers. In 2015, the company also acquired Authy, a programmable two-factor authentication provider.
Twilio’s client base includes high-profile companies such as Facebook, Stripe, Coca-Cola, Uber, Airbnb, crypto.com, Dell, VMware, and Philips. Thus, the attack could have wider implications despite the small number of victims.
Threat actors impersonated IT department in Twilio’s SMS phishing attack
The attackers impersonated Twilio’s IT department, informing their targets that their passwords had expired or their schedules had changed.
According to Twilio’s statement, the phishing messages had links to spoofed domains containing words like Twilio, SSO, and Okta. The malicious URLs redirected the victims to a fake Twilio login page that harvested their credentials.
“This is a storybook case of the damage phishing links can do. Compromised credentials are often derived from a URL in a phishing message … As soon as it’s clicked, the cycle of information loss and damage begins,” Jeannie Warner, director of product marketing at Exabeam, said.
Twilio says the phishing SMS messages originated from U.S. carriers. The cloud communication company contacted the U.S. service providers to block SMS phishing messages and hosting companies to disable the hosting accounts.
“The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” the company said.
However, the attackers were determined to sustain the campaign by rotating through carriers and hosting providers. Additionally, they could match employee names with phone numbers. They also contacted former Twilio employees suggesting they planned the SMS phishing attack well in advance.
Based on these factors, the company concluded that the malicious actors as well-organized, sophisticated, and methodical in their actions.
Twilio did not disclose the identity of the threat actors responsible for the SMS phishing attack or the nature of the information they stole. The company collects various data points, including IP addresses, payment information, and proof of identity.
The cloud communications company revoked access to compromised accounts, commenced an investigation, and engaged law enforcement agencies. Twilio also notified the affected customers. Additionally, the company had reactivated mandatory security training to keep its employees on high alert for social engineering attacks.
“In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user’s “Business Need to Know” are powerful deterrents,” Neil Jones, director of cybersecurity evangelism at Egnyte, said. “You also need to re-educate your company’s users that phishing attacks don’t occur only by e-mail.”
Content delivery network (CDN) Cloudflare confirmed it was targeted in a similar SMS phishing attack targeting 76 employees. Three Cloudflare employees fell for the trick and disclosed their passwords. However, the company’s hardware-based MFA authentication blocked unauthorized access.
The CDN provider responded by blocking the malicious domains, identifying impacted employees, resetting their credentials, and coordinated with DigitalOcean to shut down the attacker’s server and Porkbun to seize the domain.
Cloudflare and Twilio said defending against the SMS phishing attack was almost impossible. Additionally, the companies could not determine how the malicious actors obtained employees’ phone numbers and those of their family members.
“The alleged cyber-attack on digital authentication provider Twilio reminds us that organizations’ IT security programs are only as strong as their weakest links,” Jones said. “Here, we see how social engineering and ‘smishing’ tactics can lead to fraudulent account access and ultimately impact a brand’s reputation.”
Jones added that the attack demonstrated the “intimate, technical relationship” employees had with their mobile devices.
“The Twilio breach that gave hackers access to customers’ data highlights how crucial strong access management and infrastructure are to maintain strong security,” Tim Prendergrast, CEO of strongDM, said. “Attackers are relentlessly looking for ways into internal systems because it grants them a VIP pass into databases, and servers and access to everything companies don’t want leaked publicly.”
According to Mark Bower, VP of Product Management at Anjuna Security, turning trusted employees into insider threats was a cheaper and perfect way to bypass traditional security controls.
“Once inside with high levels of privilege, coordinated attackers can launch mayhem and theft – manipulating data, stealing even highly sensitive data like keys from running applications.”