Twilio breach let attackers access Authy two-factor accounts of 93 users

Threat actors behind the Twilio hack also gained access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.

Early August, the communications company Twilio discloses a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.

The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.

Twilio last week announced that that the threat actors also gained access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.

“To date, our investigation has identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data was accessed without authorization for a limited period of time, and we have notified all of them.” reads an update provided by the company on August 24, 2022.

“In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices to their accounts. We have since identified and removed unauthorized devices from these Authy accounts.”

The company added that it has since identified and removed the illegitimately added devices from the impacted accounts.

Twilio owned company Authy provides Two-factor authentication (2FA) to protect accounts from hacking.

Twilio already contacted the 93 impacted Authy users and provided them with additional guidance to protect their account:

• Review any linked account(s) for suspicious activity and work with their account provider(s) if they have any concerns.
• Review all devices tied to their Authy account and remove any additional devices they don’t recognize.
• To prevent the addition of unauthorized devices, we recommend that users add a backup device and disable “Allow Multi-device” in the Authy application. Users can re-enable “Allow Multi-device” to add new devices at any time. Specific steps can be found here.

Last week, security firm Group-IB reported that the threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations. Most of the victims are organizations providing IT, software development, and cloud services.

The campaign, codenamed 0ktapus, resulted in the compromise of 9,931 accounts, 3120 compromised user credentials with email.

Threat actors behind the 0ktapus campaign aimed at obtaining Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. Then the attackers could gain unauthorized access to any enterprise resources by using this information.

Experts pointed out that despite using low-skill methods, threat actors were able to compromise a large number of well-known organizations. Group-IB speculates that the attack was planned carefully in advance because once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks.

The threat actors targeted employees of companies that are customers of IAM leader Okta, the attack chain started with text messages sent to the victims containing links to phishing sites that mimicked the Okta authentication page of the respective targeted entities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Twilio)

[adrotate banner=”5″]

[adrotate banner=”13″]