Anti-Phishing, DMARC , Breach Notification , Cybercrime
Twilio Customer Data Breached via SMS Phishing of Employees
'Reset Your Password' SMS Messages Tricked Customer Engagement Platform EmployeesWhat begins with "the security of our customers' data is of paramount importance" and ends with a pledge "to help impacted customers in every way possible"?
See Also: Gartner Guide for Digital Forensics and Incident Response
Enter a data breach notification issued Sunday by Twilio. The San Francisco-based customer engagement platform provider counts hundreds of thousands of businesses as customers. Information collected by the company includes contact details for customers, as well as their customers, plus the contents of messages they send back and forth.
Twilio says that on Thursday, it found that a weekslong attack had tricked multiple employees into providing their login credentials to attackers.
"The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data," Twilio says. "Once Twilio confirmed the incident, our security team revoked access to the compromised employee accounts to mitigate the attack."
The company says it has hired a third-party digital forensics firm to investigate the breach and identify affected customers.
Phishing via SMS Messages
Unusually, the employee-targeting social engineering attack didn't use email, but rather SMS phishing messages claiming to have been sent by Twilio's IT department. Messages variously "suggested that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls," the company says. "The URLs used words including 'Twilio,' 'Okta,' and 'SSO' to try and trick users to click on a link taking them to a landing page that impersonated Twilio's sign-in page."
Accordingly, Twilio appears to use Okta's Single Sign-On product. But if attackers designed a fake login page that required not just an employee's username and password, but also their single sign-on code, then they too could in theory access the same systems.
Twilio says attackers appeared to possess an accurate list of employee names and phone numbers and sent their text messages via U.S. carrier networks. "We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down," it says.
Investigation Ongoing
Twilio has not yet issued a final count of the number of employees who were tricked or customers who were affected by the breach. "If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack," it says. The company has also not yet specified if the breached businesses are located exclusively in the U.S. or if they might also be abroad.
If exposed information included personal details for Europeans, under the EU's General Data Protection Regulation, the company would have been legally required to provide extensive breach details to a European privacy watchdog within 72 hours of discovering the incident.
Twilio declined to comment on the geographical impact of the breach. But the company tells Information Security Media Group that further breach details may be released "as more information becomes available."
The full extent of the damage suffered by Twilio may not yet be clear. "We continue to notify and are working directly with customers who were affected by this incident," the company says in its breach notification. "We are still early in our investigation, which is ongoing."
Twilio says it is reviewing its security defenses to look at bolstering its ability to block such attacks. In addition, the company says it's been revising employee training and warning employees to be "on high alert for social engineering attacks," backed by details of how this specific attack campaign has been executed.
Full Impact Unclear
Attackers stole information about Twilio's customers, and the risk this might pose to those customers, and by extension those customers' customers, remains unclear.
But Twilio collects extensive information, including businesses' communications with their customers, as well as information on those individuals.
"We process customer contact details such as your name, email and phone number directly from you," Twilio's privacy policy states. "We process your end users' communications-related data such as phone numbers, email addresses, friendly names that you create for your end users. We also process the content of communications sent by you or your end users to provide services to you."
At a minimum, attackers could use this information to craft phishing attacks designed to more effectively target Twilio's customers.
Attack Campaign Still Active
Twilio says it does not appear to have been the only firm targeted by this campaign, which remains active.
"We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors - including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs," it says. "Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks."