Representatives of the company Twilio, engaged in the development and provision of cloud PaaS services, reported that unknown attackers gained access to the data of some of its customers. To do this, the attackers stole the credentials of the company’s employees by arranging a phishing attack on them via SMS.
“August 4, 2022, Twilio detected unauthorized access to information associated with a limited number of customer accounts. The attack was carried out with the help of sophisticated social engineering aimed at stealing the credentials of our employees, the company said in an official statement. “The attackers used stolen credentials to gain access to some of our internal systems, where they were able to access certain customer information.”
It is known that as part of a phishing attack on Twilio employees, hackers posed as representatives of the company’s IT department. In their SMS messages, they asked people to click on links containing keywords such as Twilio, Okta and SSO, after which the victims were taken to a fake Twilio login page. People were persuaded to click on malicious links with warnings that their passwords had supposedly expired or that it was time to change them according to the plan, since they were out of date.
At the same time, Twilio declined to comment and disclose additional information about the incident, without answering questions from the media about how many employees were compromised and how many customers were eventually affected by this hack. It is worth noting that Twilio has 26 offices in 17 countries, employing more than 5,000 people.
“The SMS messages originated from US carrier networks. We have worked with carriers to block the attackers, as well as hosting providers serving malicious URLs, to close these accounts, the companies add. — We are aware that other companies have also been subjected to similar attacks, and we coordinated with them the response to the attackers, including cooperation with operators and communications to stop the spread of malicious messages, and with registrars and hosting providers to block malicious URLs. Despite these countermeasures, the attackers continue to switch carriers and hosting providers to renew their attacks.”
It is reported that an investigation into the incident is currently underway, to which law enforcement agencies have already been involved.
Immediately after the attack was discovered, Twilio canceled compromised employee accounts to block hackers from accessing their systems and began to notify customers affected by the incident. It is emphasized that the attackers gained access to a “limited amount” of data, so affected clients are notified on an individual basis.