Twilio hacked by phishing campaign

Communications giant Twilio has confirmed that hackers gained access to customer data after tricking employees into handing over company login information.

The San Francisco-based company, which allows users to build voice and SMS capabilities — such as two-factor authentication (2FA) — into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to Twilio customer accounts August 4.

In an update posted on August 11, Twilio confirmed that malicious actors gained access to the data of 125 customers, but has not yet confirmed what data was accessed. Twilio’s privacy policy states that the information it collects includes addresses, payment details, IP addresses and, in some cases, proof of identity.

Twilio has more than 150,000 enterprise customers, including Facebook and Uber.

According to the company, the as-yet-unidentified threat actor convinced several Twilio employees to hand over their credentials, which allowed access to the company’s internal systems. It

The attack used SMS phishing messages purporting to come from Twilio’s IT department, suggesting that employees’ passwords had expired or their schedules had changed, and advising the target to log in with a fake URL that the attacker controls.

Twilio said the attackers sent these messages to look legitimate, including words like “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal apps. (Okta itself suffered a breach earlier this year, which saw hackers gain access to its internal systems.) Twilio said it was working with US carriers to stop the malicious messages, as well as registrars and hosting providers to shut down the malicious URLs that were used in the campaign.

But the company said the threat actors seemed undeterred. “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume attacks,” Twilio’s blog post said. “Based on these factors, we have reason to believe that the threat actors are well-organized, sophisticated and methodical in their actions.”

TechCrunch has since learned that the same actor also created phishing sites impersonating other companies, including a US Internet company, an IT outsourcing company and a customer service provider, but the impact on those organizations – if any – is currently unknown .

Twilio said since the attack that it has revoked access to the compromised employee accounts and has increased security training to ensure employees are on “high alert” for attacks by social engineers. The company said it has started contacting affected customers on an individual basis.

Updated with numbers provided by Twilio.