Posted on October 29, 2022 at 11:52 AM
Twilio, one of the largest messaging platforms in the United States has announced that it was affected by another breach that occurred in June. Following the breach, hackers managed to access the personal contact details of customers.
Twilio suffers a second breach
According to the company, the second breach was conducted by the 0ktapus hacking group. The same hacking was responsible for another hack on the messaging platform in August. The company noted that the second breach was hidden in an update for a long incident report that the messaging giant had completed on Thursday.
Twilio has referred to the breach as a “brief security incident.” The company said the breach happened on June 29 and saw the same hacking group use a voice phishing technique to social engineer an employee.
Voice phishing is a method that a hacker uses to make malicious phone calls that impersonate the company’s IT department. The phone calls are made to trick company employees into sharing sensitive details.
In the case of Twilio, the hackers managed to trick an employee into sharing their corporate credentials. The information allowed the hacker to access customers’ contact information on the platform. The breach affected a “limited number” of customers.
In the update, Twilio also added that the access that the threat actor received was identified and removed within 12 hours. The company also added that customers whose personal details were affected because of the breach that occurred in June were notified of the event on July 12.
A spokesperson from Twilio, Laurelle Remzi, was contacted by a news agency but declined to share any insights into the attack. Remzi did not provide an exact number of the customers that were affected because of the breach. The spokesperson also failed to provide a copy of the notice sent to the affected customers.
The messaging platform has not provided a reason for only disclosing the details of this hack now. In the update, Twilio said that the hackers responsible for the August breach managed to access the data of 209 customers. This was a significant increase from the 163 customers it had reported on August 24.
Twilio has not mentioned the names of the customers whose contact data was accessed by the hacking group. However, some involved parties, such as the Signal messaging app, have informed users that they were affected by the attack on Twilio.
The attackers compromised the accounts of 93 Authy users. Authy is a two-factor authentication app that Twilio acquired in 2015.
Twilio has also said that there was no evidence to show that the threat actors had accessed the console account credentials of customers. The company also noted that the authentication and API keys remained safe. The company has also added that the attackers had access to the Twilio internal environment for two days. This was between August 7 and August 9.
0ktapus hacking campaign
The 0ktapus hacking group has been busy launching coordinated attacks targeting multiple organizations. The attack on Twilio was part of a larger campaign where the threat actor’s operations were detected. The campaign has targeted around 130 organizations, such as Cloudflare and Mailchimp.
Cloudflare has also said that the attackers were not successful in the attempts to compromise its network. The attempts by the attackers to attack the Cloudflare network were quickly detected and blocked using hardware security keys resistant to phishing attempts.
Twilio is already taking steps to ensure such attacks do not happen again. The company is assessing the efficiency of the mitigation practices that it has in place to guarantee that the attack will not happen again in the future.
One of Twilio’s recommendations is announcing that it has plans to launch hardware security keys that will be available to all employees. However, Twilio has not provided a timeline for when it expects the keys to be launched.
The other proposal made by the company is rolling out additional layers of control within its VPN network. It also plans to remove and limit some functionality within the special administrative tooling. The company is also planning to raise the refresh frequency of tokens within Okta-integrated applications. These measures are expected to reduce the possibility of such a breach happening again, while adding an extra layer of security to customer data.