Twilio Customers' Data Stolen in Phishing Attacks that Trick Employees

The hackers impersonated Twilio's IT department.

Edward Gately, Senior News Editor

August 8, 2022

4 Min Read

Hackers have accessed Twilio customer data by tricking employees into handing over their corporate login credentials via phishing attacks.

Twilio detailed the phishing attacks in a blog. It plans to update it as more information is available.

On Aug. 4, Twilio became aware of unauthorized access to information related to a limited number of customer accounts through a sophisticated social engineering attack.

“This broad-based attack against our employee base succeeded in fooling some employees into providing their credentials,” it said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data. We are still early in our investigation, which is ongoing.”

Deceptive Text Messages

Current and former employees recently reported receiving text messages purporting to be from Twilio‘s IT department. Typical texts suggested the employees’ passwords had expired, or that their schedule had changed. The hackers instructed them to log in to a URL they controlled. The text messages originated from U.S. carrier networks.

“We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down,” Twilio said. “Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio believes the threat actors behind the phishing attacks are well organized, sophisticated and methodical in their actions.

“We have not yet identified the specific threat actors at work here, but have liaised with law enforcement in our efforts,” it said.

Attack Mitigation

Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack. In addition, a forensics firm is helping Twilio in its investigation.

“We have re-emphasized our security training to ensure employees are on high alert for social engineering attacks, and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago,” it said. “We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”

Twilio is contacting only affected customers on an individual basis with the details.

“We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately,” it said.

Human Error Behind Many Breaches

Erfan Shadabi is head of marketing at Comforte AG, a data security platform provider.


Comforte AG’s Erfan Shadabi

“Many of the data breaches we have seen in the past few months have human error lurking within their backstories,” he said. “Phishing is a type of cybercrime in which victims are contacted by an attacker posing as a trustworthy entity in order to obtain sensitive information or data, such as login credentials, credit card details or other personally identifiable information. One of the best approaches to mitigate such attacks is to adopt the zero trust framework.”

With zero trust, an organization assumes an attacker has already breached it, Shadabi said. It provides no implicit trust, verifies again and again, and only provides minimal privileges upon successful authentication.

“Protection methods such as tokenization can complement this framework because by tokenizing sensitive data immediately upon entering the corporate data ecosystem, and then not de-protecting it, people can have minimal or no access to the truly sensitive information while still being able to accomplish tasks (like data analytics),” he said.


Tresorit’s Szilveszter Szebeni

Szilveszter Szebeni is CISO and co-founder of Tresorit, a European encryption-based security software company.

“While continuous phishing testing employees is the minimum, companies are not even safe using two-factor authentication (2FA),” he said. “With a targeted attack, even accounts protected by 2FA can be hacked by stealing a session using a fake website. The real solution for the industry is to go passwordless. Unfortunately the industry does not support it in every use case.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like