A “malicious actor” accessed the data of a “limited number of customers” through social engineering
Twilio has confirmed a second data breach as it ramps down its investigation of a phishing attack on August 4.
The newly revealed attack occurred on June 29, 2022, when a Twilio employee fell victim to a voice phishing – otherwise known as “vishing” – scam.
After, the hacker gained access to the contact information of a “limited number of customers.”
Giving more details in an incident report for the already publicized attack, Twilio states:
The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022.
Some will question why Twilio did not immediately make the news public, as it did for the data breach on August 4.
Indeed, it was clear in its response to that attack, stating what happened, what they have done, and providing next steps – providing a real sense of transparency.
Yet, burying news of this “brief security incident” at the bottom of the incident report for another attack seems somewhat murkier.
With that said, the attacks are connected, as Twilio reveals that the same actors likely performed both breaches.
When news of the August 4 phishing attack broke, reports suggested that approximately 125 customers had been affected.
However, the latest entry into Twilio’s incident report suggests that the incident impacted 209 customers and 93 Authy end users.
Moreover, the attacks lasted until August 9, when the last observed unauthorized activity in Twilio’s environment occurred.
Of course, these findings are troubling. Fortunately, Twilio confirms:
There is no evidence that the malicious actors accessed Twilio customers’ console account credentials, authentication tokens, or API keys.
Also, as Twilio boasts a total customer base of over 270,000, the attack only affected a fraction of its clients, thankfully.
Yet, news of two separate breaches – albeit similar – in such a short time is concerning.
Indeed, it perhaps highlighted a lack of training within the company to avoid social engineering, which was also at the heart of August’s attack.
Then, hackers pretended to work for the business’s IT team sending SMS messages to employees, telling them that their passwords had expired.
These messages included a link to a copycat website, which employees could follow to reset their details. The individuals that did gave the attackers access to their corporate credentials.
To avoid future attacks, Twilio has suggested it will increase security training – so employees are on “high alert” for similar scams. It has also revoked access to the compromised accounts.
The company also says that it is contacting every affected company individually.
However, the news may take the shine off its upcoming SIGNAL event, where its customers – which include Deliveroo, Facebook, and Uber – are invited to learn more about its latest innovations.
Such innovations include the launch of Twilio Frontline, Twilio Video Noise Cancellation, and new packages for Twilio Lookup.
At the event, speakers will include George and Amal Clooney, as the well-established CX provider looks to bounce back from a difficult summer, which leave customers with many questions.