Twilio has disclosed that it fell victim to the recent Codecov supply-chain attack. The cloud communications company
As previously reported by CyberIntelMag, popular code coverage tool Codecov had suffered a supply-chain attack over the last two months in which threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate customers’ sensitive information such as keys, tokens, and credentials.
Using the credentials harvested from the tampered Bash Uploader, Codecov attackers reportedly breached hundreds of customer networks.
Today, cloud communications and VoIP platform Twilio has announced that it was impacted by the Codecov supply-chain attack.
Shortly after the attack on Codecov had been disclosed, Twilio was notified that they had been impacted, too. The information has been confirmed by the company only now.
Since a small number of Twilio projects and CI pipelines use the illicitly altered Bash Uploader Codecov component they had been impacted by the attack, too. But Twilio stated the breach did not concern critical systems.
“These projects and CI pipelines are not in the critical path to providing updates or functionality to our communication APIs,” explained Twilio in a statement issued yesterday.
“Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure.”
Twilio has notified impacted individuals and has “remediated the additional potential exposure by thoroughly reviewing and rotating any potentially exposed credentials,” continues the statement.
According to Twilio, on April 22nd, GitHub had also notified them that a Twilio user token had been exposed.
“GitHub.com had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov.”
Consequently, Twilio’s security team found “a small number of email addresses belonging to Twilio customers.” The company did not say how many customers “a small number” is.
Twilio says there is no evidence that any other customer data have been exposed or that Twilio’s repositories have been tampered by the attackers.
Twilio has taken steps to remediate the impact of the attack and detect such incidents in the future.