Pierluigi Paganini
April 15, 2024
Cisco Duo warns of a data breach involving one of its telephony suppliers, compromising multifactor authentication (MFA) messages sent to customers via SMS and VOIP.
The security breach occurred on April 1, 2024, the threat actors used a Provider employee’s credentials that illicitly obtained through a phishing attack. Then they used the access to download a set of MFA SMS message logs belonging to customers’ Duo accounts.
“More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024. The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).” reads the data breach notification send to the impacted individuals. “The Provider confirmed that the threat actor did not download or otherwise access the content of any messages or use their access to the Provider’s internal systems to send any messages to any of the numbers contained in the message logs.”
Threat actors had access to phone numbers, phone carriers, countries, and states to which each message was sent. Attackers also obtained other metadata, including the date and time of the message, type of message, etc..
Once discovered the incident, the Provider immediately launched an investigation and implemented mitigation measures. The Provider invalidated the employee’s credentials and analyzed the logs. The
“Provider also started implementing measures to prevent similar incidents from occurring in the future and additional technical measures to further mitigate the risk associated with social engineering attacks. The Provider confirmed that they will also require employees to undergo additional social engineering awareness training.” continues the notification.
Affected users whose phone numbers were in the logs are recommended to remain vigilant and promptly report any suspected activities.
(SecurityAffairs – hacking, Cisco Duo)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
