Alleged Hacking Group Leader Behind Twilio, LastPass, & Mailchimp Breaches Arrested

What will the arrest mean for the companies impacted by the attacks?

Silhouette Of Hooded Criminal Hacking Computer On Binary Code Background - Cyber Crime Concept
Loyalty ManagementLatest News

Published: June 18, 2024

Rhys Fisher Fisher

The supposed ringleader of the cybercrime group responsible for hacking Twilio, LastPass, and Mailchimp has been arrested in Spain.

The UK citizen was allegedly the head of the ‘Scattered Spider’ group, a group of hackers linked to cyber-attacks at almost 130 organizations over the past two years.

Reports close to the investigation have revealed that Tyler Buchanan, 22, from Dundee, Scotland, is the accused.

As seen in the video below, Buchanan was arrested in Palma de Mallorca, Spain, where he was attempting to board a flight to Italy.

Local Spanish daily Murcia Today reported that “he [Buchanan] stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds.

“According to Palma police, at one point, he controlled Bitcoins worth $27 million.”

The 2022 Twilio Attack

The accused hacker, who went by aliases such as ‘Tyler’ and ‘tylerb,’ led the group that specialized in SIM-swapping attacks.

In these attacks, fraudsters would transfer the victim’s phone number to a device they control, allowing them to intercept text messages and phone calls intended for the victim.

One of the major companies affected by the Scattered Spider spree was Twilio, which suffered a data breach in the summer of 2022.

Hackers deceived Twilio employees into sharing their login credentials, compromising customer data, and enabling access to some internal systems.

It is estimated that the attack affected approximately 125 Twilio customers.

The attack started when employees received text messages claiming to be from Twilio’s IT department. The messages instructed them to log in to a fake URL to update expired passwords, which gave the attackers their new credentials.

In response, Twilio’s security team revoked access to the compromised accounts, provided additional security training, and implemented further measures to prevent future attacks.

However, a few months later, it was revealed that the company had actually suffered an additional cyber-attack a few days prior, when a Twilio employee fell victim to a voice phishing (or “vishing”) scam, allowing the hacker to access the contact information of a “limited number of customers.”

In a statement released by Twilio, the company played down the extent of the hack:

The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022.

However, some may wonder why Twilio did not immediately disclose this incident, unlike the data breach on August 4, which was addressed transparently with clear information and next steps.

Instead, Twilio mentioned this “brief security incident” at the end of the report for another attack, which seems less transparent.

With the alleged mastermind behind the attacks now in custody, it will be interesting to see whether any additional information regarding the attacks comes to light.

For more on the 2022 breaches, read our article: Twilio Confirms a Second Phishing Attack


CpaaSSecurity and Compliance

Brands mentioned in this article.


Share This Post