Twilio Customers' Data Stolen in Phishing Attacks that Trick EmployeesTwilio Customers' Data Stolen in Phishing Attacks that Trick Employees
The hackers impersonated Twilio's IT department.
August 8, 2022
Hackers have accessed Twilio customer data by tricking employees into handing over their corporate login credentials via phishing attacks.
Twilio detailed the phishing attacks in a blog. It plans to update it as more information is available.
On Aug. 4, Twilio became aware of unauthorized access to information related to a limited number of customer accounts through a sophisticated social engineering attack.
“This broad-based attack against our employee base succeeded in fooling some employees into providing their credentials,” it said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data. We are still early in our investigation, which is ongoing.”
Deceptive Text Messages
Current and former employees recently reported receiving text messages purporting to be from Twilio‘s IT department. Typical texts suggested the employees’ passwords had expired, or that their schedule had changed. The hackers instructed them to log in to a URL they controlled. The text messages originated from U.S. carrier networks.
“We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” Twilio said. “Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”
Twilio believes the threat actors behind the phishing attacks are well organized, sophisticated and methodical in their actions.
“We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts,” it said.
Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack. In addition, a forensics firm is helping Twilio in its investigation.
“We have re-emphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago,” it said. “We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”
Twilio is contacting only affected customers on an individual basis with the details.
“We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately,” it said.
Human Error Behind Many Breaches
Erfan Shadabi is head of marketing at Comforte AG, a data security platform provider.
Comforte AG’s Erfan Shadabi
“Many of the data breaches we have seen in the past few months have human error lurking within their backstories,” he said. “Phishing is a type of cybercrime in which victims are contacted by an attacker posing as a trustworthy entity in order to obtain sensitive information or data, such as login credentials, credit card details or other personally identifiable information. One of the best approaches to mitigate such attacks is to adopt the zero trust framework.”
With zero trust, an organization assumes an attacker has already breached it, Shadabi said. It provides no implicit trust, verifies again and again, and only provides minimal privileges upon successful authentication.
“Protection methods such as tokenization can complement this framework because by tokenizing sensitive data immediately upon entering the corporate data ecosystem, and then not de-protecting it, people can have minimal or no access to the truly sensitive information while still being able to accomplish tasks (like data analytics),” he said.
Tresorit’s Szilveszter Szebeni
Szilveszter Szebeni is CISO and co-founder of Tresorit, a European encryption-based security software company.
“While continuous phishing testing employees is the minimum, companies are not even safe using two-factor authentication (2FA),” he said. “With a targeted attack, even accounts protected by 2FA can be hacked by stealing a session using a fake website. The real solution for the industry is to go passwordless. Unfortunately the industry does not support it in every use case.”
Read more about:Agents
About the Author(s)
You May Also Like
November's Top 20 Stories: Broadcom-VMware, AI in UCaaS, Google Cloud Shake-UpDec 04, 2023
Digital Transformation 2.0? IT Teams Look Ahead to 2024Dec 05, 2023
Insight-SADA Deal Makes Tony Safoian Richest Man in the ChannelDec 04, 2023
AWS re:Invent Partner, Vendor News: Cisco, Salesforce, MoreDec 01, 2023