Twilio reveals it was hit by another data breach

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

The data breach that hit Twilio in August 2022 resulting in the theft of customer information data, was not the first time the same threat actor targeted the company, it has confirmed.

Following weeks of research, Twilio says it has now wrapped up its investigation into the incident, and in a follow-up blog post, unveiled that the same malicious actor also managed to compromise its systems in late June 2022.

However unlike the August incident that was enabled with a smishing attack, the June one was done through vishing - voice phishing. 

Customer data stolen

“In the June incident, a Twilio employee was socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers,” the company explained. It further stated that it eliminated the hacker within 12 hours, and by July 2, notified everyone who was affected by the incident. 

In the August attack, Twilio said, the attackers used login credentials obtained through the smishing attack to breach internal non-production systems and endpoints. There, they found the data of 209 customers, as well as 93 Authy end users. 

"209 customers – out of a total customer base of over 270,000 – and 93 Authy end users – out of approximately 75 million total users – had accounts that were impacted by the incident," Twilio said. The investigation has also shown that customers’ console account credentials, API keys, or authentication tokens were most likely not accessed. 

The company disclosed the incident on August 7, but later learned that the hackers lingered around for two more days. "The last observed unauthorized activity in our environment was on August 9, 2022," the company added.

According to the report, the Twilio attack was not an isolated incident, but rather part of a larger cybercrime campaign conducted by a group known as Scatter Swine (AKA 0ktapus). At least 130 organizations were hit, including MailChimp and Cloudflare. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.