Customer engagement platform Twilio revealed on Monday that a “sophisticated” threat actor has obtained “unauthorized access” to a “limited number” of accounts through an SMS-based phishing campaign directed at its workers. The corporation described the as-yet-unidentified opponent as “well-organized” and “methodical in their actions” and said that the social engineering effort was focused on collecting staff credentials. The event came into public on August 4.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” it stated in a notice. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
Among the 268,000 active customer accounts held by the communications, behemoth are those of businesses like Airbnb, DoorDash, Box, Dell, eBay, Salesforce, Glassdoor, Lyft, Stripe, VMware, Twitter, Uber, Yelp, and Zendesk. It also owns Authy, a well-known two-factor authentication (2FA) service. Twilio said it is working directly with affected consumers and is currently looking into the breach. It didn’t say how big the hack was, how many employee accounts were compromised, or what information could have been acquired.
Phishing techniques rely on strong scare tactics to persuade victims into providing their sensitive information by email and SMS. This is not an anomaly. The SMS messages allegedly lured current and past workers into clicking on malicious links by falsely claiming to be from the company’s IT department and informing them that their passwords were about to expire.
To improve the likelihood of success, the URLs contained phrases like “Twilio,” “Okta,” and “SSO” (short for single sign-on), which led the victims to a fake website that impersonated the business’ sign-in page. It’s not immediately obvious if the compromised accounts have 2FA security measures. Twilio claimed that the messages came from American carrier networks and that it collaborated with telecom and hosting companies to take down the attack infrastructure and the scheme. However, the attackers’ migration to other carriers and hosting providers have negated the takedown operations.
“Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers,” it noted.
The San Francisco-based company has subsequently terminated staff access to the hacked accounts to lessen the impact of the incident, and it has also stated that it is investigating new technical measures as a preventative step. The disclosure comes as spear-phishing remains a danger to businesses. Last month, one of Axie Infinity’s former workers had been duped by a fake job offer on LinkedIn, which led to the $620 million Axie Infinity breach.