The world’s largest provider of communications services, Twilio, has revealed that hackers were successful in obtaining employee login information to access client data.
The San Francisco-based business, which enables customers to integrate phone and SMS features like two-factor authentication (2FA) into applications, disclosed in a blog post on Monday that it learned on August 4 that someone had “unauthorized access” to data pertaining to some Twilio client accounts.
More than 150,000 businesses, including Facebook and Uber, use Twilio’s services. The company claims that an as-yet-unidentified threat actor persuaded a number of Twilio employees to provide their login information, allowing access to the business’ internal systems.
The assault made use of SMS phishing messages that appeared to be from Twilio’s IT department and encouraged the target to check in using a faked web address that the attacker controls, alleging that the employees’ passwords had expired or that their schedules had changed.
According to Twilio, the attackers used phrases like “Okta” and “SSO,” which stand for single sign-on, to make the messages appear legitimate. Many businesses use this method to safeguard access to their internal apps. Twilio stated that it worked with U.S. carriers to block the malicious messages, as well as registrars and hosting providers to shut down the malicious URLs used in the campaign. Okta was also affected by a breach earlier this year, in which hackers gained access to its internal systems.
The threat actors, though, the business claimed, appeared unaffected. According to a blog post by Twilio, the threat actors have persisted in switching between carriers and hosting companies in order to carry out their attacks. They have grounds to assume the threat actors are well-organized, smart, and deliberate in their actions based on these facts.
Since then, it has emerged that the same actor also created phishing pages mimicking other businesses, including a U.S. internet corporation, an IT outsourcing company, and a customer service provider. However, it is presently unknown what influence, if any, these actions had on these enterprises.
When contacted, Twilio spokesperson Laurelle Remzi declined to specify the number of customers impacted or what data the threat actors had access to. According to Twilio’s privacy statement, the data it gathers includes addresses, payment information, IP addresses, and, in certain situations, identification documentation.
Since the hack, according to Twilio, it has revoked access to the accounts of the affected employees and improved security awareness training to make sure staff members are on “high alert” for social engineering attempts. The business announced that it has started reaching out to affected clients individually.
Hackers are using social engineering more and more frequently. According to a story from earlier this year, Apple and Meta both provided data with hackers posing as law enforcement agents. A hacker duped a Robinhood customer care agent into revealing the personal data of nearly 7 million users last year.