Twilio: Employee and customer accounts compromised
Employees of the service provider Twilio have become victims of phishing attacks. The attackers were able to gain unauthorized access to information.
Attackers successfully launched phishing attacks on Twilio employees last Thursday and were subsequently able to gain unauthorized access to additional information. Twilio offers cloud services for the automated sending and receiving of SMS messages as well as phone calls or chats. Customers such as Airbnb, Salesforce and Uber can integrate these into their apps and services, for example to implement multi-factor authentication.
A widespread phishing campaign against Twilio employees was successful in causing some employees to give up their credentials. The attackers used these accesses to access the company’s internal systems and were able to obtain certain customer data that was not explained in detail. According to its own report on the incident, Twilio is contacting affected customers directly. The investigation is still ongoing.
Attackers with sophisticated skills
Current and former employees have received text messages claiming to be from the IT department. The typical messages were, for example, that the password had expired or that the shift schedule had changed. Recipients would need to visit a URL and sign up there. The URLs were composed of the parts “Twilio”, “Okta” and “SSO”, such as “twilio-sso.com”. They were under the control of the attackers and copied the Twilio login page.
Because the messages came from US-based networks, Twilio worked with the carriers and was able to choke off the attackers. Likewise, the malicious URLs could be taken off the net together with the hosting providers. Twilio further reports that other companies have also been affected by these attacks and that they have worked with them to combat them. However, the provider does not explain what these are.
Since the attackers were able to continue using other carriers and with additional URLs despite the countermeasures, Twilio considers them to be well organized, sophisticated, and methodical in their approach. They had advanced skills as they were able to match employee names and their phone numbers.
Consequences still unclear
The company has disabled access to employees’ compromised accounts to thwart the attacks. In addition, Twilio has hired a leading forensics firm to assist in the ongoing investigation of the incidents.
However, it is still unclear which data the attackers were able to access and what specific damage they can cause. The case brings back memories of the burglary at the provider Sitel earlier this year, which serves customers of the identity management provider Okta. Rumor has it that the cybergang Lapsus$ gained access to their customer systems and could thus spy out enormous amounts of data. However, according to the final analysis, this was not the case.
