Twilio discloses data breach that impacted customers and employees

Communications company Twilio discloses a data breach after threat actors have stolen employee credentials in an SMS phishing attack.

Communications company Twilio discloses a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.

The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.” Twilio said over the weekend.” reads the incident report published by Twilio.

The company did not disclose the number of affected employees and customers.

The company employees received phishing messages impersonating the IT department, the content of the messages informed the recipient that their passwords had expired, or that their schedule had changed, and urged them to log in to a URL the attacker controls. The URLs in the messages included words like “Twilio,” “Okta,” and “SSO” in the attempt to trick users into clicking on a link redirecting them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks.

“The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” continues the incident report. “Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio reported that it is aware of similar attacks that hit other companies, for this reason it has coordinated its response to the threat actors. The company is collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs.

The company has also revoked access to the compromised employee accounts.

“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.” concludes the report. “The Twilio Security Incident Response Team will post additional updates here if there are any changes. Also note that Twilio will never ask for your password or ask you to provide two-factor authentication information anywhere other than through the twilio.com portal.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]