Data Breach

Twilio breach let attackers access Authy two-factor accounts of 93 users

Threat actors behind the Twilio hack also gained access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.

Early August, the communications company Twilio discloses a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack.

Twilio is an American firm that provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.

The company has more than 5,000 employees in 17 countries, and its revenues in 2021 are US$2.84 billion.

Twilio last week announced that that the threat actors also gained access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.

“To date, our investigation has identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data was accessed without authorization for a limited period of time, and we have notified all of them.” reads an update provided by the company on August 24, 2022.

twilio logotwilio logo

“In addition, to date, our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users – out of a total of approximately 75 million users – and registered additional devices to their accounts. We have since identified and removed unauthorized devices from these Authy accounts.”

The company added that it has since identified and removed the illegitimately added devices from the impacted accounts.

Twilio owned company Authy provides Two-factor authentication (2FA) to protect accounts from hacking.

Twilio already contacted the 93 impacted Authy users and provided them with additional guidance to protect their account:

  • Review any linked account(s) for suspicious activity and work with their account provider(s) if they have any concerns.
  • Review all devices tied to their Authy account and remove any additional devices they don’t recognize.
  • To prevent the addition of unauthorized devices, we recommend that users add a backup device and disable “Allow Multi-device” in the Authy application. Users can re-enable “Allow Multi-device” to add new devices at any time. Specific steps can be found here.

Last week, security firm Group-IB reported that the threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations. Most of the victims are organizations providing IT, software development, and cloud services.

The campaign, codenamed 0ktapus, resulted in the compromise of 9,931 accounts, 3120 compromised user credentials with email.

Threat actors behind the 0ktapus campaign aimed at obtaining Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. Then the attackers could gain unauthorized access to any enterprise resources by using this information.

Experts pointed out that despite using low-skill methods, threat actors were able to compromise a large number of well-known organizations. Group-IB speculates that the attack was planned carefully in advance because once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks.

The threat actors targeted employees of companies that are customers of IAM leader Okta, the attack chain started with text messages sent to the victims containing links to phishing sites that mimicked the Okta authentication page of the respective targeted entities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Twilio)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry

The Czech government condemned China after linking cyber espionage group APT31 to a cyberattack on…

1 hour ago

New PumaBot targets Linux IoT surveillance devices

PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and…

5 hours ago

App Store Security: Apple stops $2B in fraud in 2024 alone, $9B over 5 years

Apple blocked over $9B in fraud in 5 years, including $2B in 2024, stopping scams…

6 hours ago

Crooks use a fake antivirus site to spread Venom RAT and a mix of malware

Researchers found a fake Bitdefender site spreading the Venom RAT by tricking users into downloading…

10 hours ago

Iranian Man pleaded guilty to role in Robbinhood Ransomware attacks<gwmw style="display:none;"></gwmw>

Iranian man pleads guilty to role in Baltimore ransomware attack tied to Robbinhood, admitting to…

11 hours ago

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Sophos warns that a DragonForce ransomware operator chained three vulnerabilities in SimpleHelp to target a…

21 hours ago