Data Backup Digest

It was August 4, 2022 when the Twilio team first became aware of a sophisticated social engineering attack that was being used to steal the credentials of their employees. Due to the advanced nature of the phishing attack, it was a success – and the hackers were then able to access a limited number of customer accounts.

A related blog post read, in part: “On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

It Gets Worse

But the fallout doesn’t end there. While it’s still unclear as to how many customer accounts were exposed in the hack, the same hack was later used to expose the personal phone numbers of nearly 2,000 users on the encrypted messaging app known as Signal.

According to the hacking group responsible, they’ve breached the systems of approximately 130 different companies – including brands like Twitter, Microsoft, Epic Games, Coinbase, Slack, Verizon Wireless, Mailchimp, T-Mobile, and many others.

While the exact identity of the perpetrators has yet to be revealed, at least one source has narrowed the location down to North Carolina in the United States. Although the Twilio’s official blog post states that the attacked originated on U.S. carrier networks, they didn’t provide any further detail.

How it Worked

As mentioned earlier, the attack was akin to a highly sophisticated phishing attack. By impersonating an official Twilio account, specifically the IT department, the hackers tricked unsuspecting employees into thinking that their passwords had expired. In other cases, they tricked users into scheduling an important meeting.

If the user went through with it and clicked the link – which some did – it led them to a hijacked webpage that looked identical to the internal Twilio pages. However, these specific sites were secretly under the control of the hackers. By entering their information and trying to login to the site, the users were literally feeding their credentials directly to the hackers.

A Quick Resolution

Thankfully, the team at Twilio was quick to discover the breach and take action. They immediately revoked all access to the affect accounts and have already begun notifying the affected customers. A digital forensics investigation is currently ongoing.

A later update, issued in mid-August 2022, stated that approximately 163 Twilio customer accounts were comprised in the breach. However, the hackers also accessed the accounts of 93 Authy users. Authy was purchased by Twilio in 2015 and is highly integrated with Twilio.

But there is no evidence that any passwords, authentication tokens, or API keys were accessed in the attack. If there’s any silver lining, it’s the fact that the attacks were rather limited in scope – having only affected a few hundred Twilio and Authy users in all – and the damage seems to be minimal.