Twilio discloses another security incident that took place in June

Twilio suffered another brief security incident in June 2022, the attack was conducted by the same threat actor of the August hack.

The Communications company Twilio announced that it suffered another “brief security incident” on June 29, 2022, the attack was conducted by the same threat actor that in August compromised the company and gained access to customers’ and employees’ information.

“Our investigation also led us to conclude that the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022. In the June incident, a Twilio employee was socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers.” reads the update to the incident report provided by the company. “The threat actor’s access was identified and eradicated within 12 hours.”

In June, threat actors obtained the credentials of a Twilio employee through a ‘vishing‘ attack, then used it to access customer contact information for a limited number of customers. The company already notified impacted customers on July 2, 2022, at this time the exact number of impacted customers was not revealed.

The unauthorized access was identified and thwarted within 12 hours.

At the end of August, a security firm revealed that the threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations. Most of the victims are organizations providing IT, software development, and cloud services.

The campaign, codenamed 0ktapus, resulted in the compromise of 9,931 accounts, 3120 compromised user credentials with email.

Threat actors behind the 0ktapus campaign aimed at obtaining Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. Then the attackers could gain unauthorized access to any enterprise resources by using this information.

Experts pointed out that despite using low-skill methods, threat actors were able to compromise a large number of well-known organizations. The experts speculate that the attack was planned carefully in advance because once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks.

The threat actors targeted employees of companies that are customers of IAM leader Okta, the attack chain started with text messages sent to the victims containing links to phishing sites that mimicked the Okta authentication page of the respective targeted entities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Twilio)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.