Skip links

Twilio customer data exposed after its staffers got phished

Twilio confirmed a breach of the communication giant’s network and accessed “a limited number” of customer accounts after tricking some employees into falling for a phishing attack.

The company declined to respond to The Register‘s inquiries about how many customers’ accounts were compromised and the type of data that the crooks stole, but the investigation is ongoing.

Twilio said it first became aware of the breach on August 4, after current and former employees received text messages claiming to be from Twilio’s IT department saying the employees’ passwords were expired, or for some other reason they needed to log into a phony URL that looked like Twilio’s sign-in page. 

In reality, however, the webpages were attacker-controlled sites, and once the employees entered their usernames and passwords, the crooks grabbed the credentials and used those to access Twilio’s internal systems.

All of the text messages originated from US-carrier networks, and Twilio said it worked with the network operators and hosting providers to shut down the malicious accounts. “Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers,” the cloud communication biz noted.

“We continue to notify and are working directly with customers who were affected by this incident,” the company wrote in an incident report, adding that if you don’t hear from Twilio, that means the biz believes your data is safe. 

Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers including Lyft, American Red Cross, Salesforce, Twitter and VMware. But this incident wasn’t alone, Twilio said, but part of a larger campaign.

We’re told that that breach was part of a larger, coordinated attack against several companies — not just Twilio. The firms reportedly coordinated their response and collaborated with carriers to stop the phishing texts and hosting providers to shut down the phone URLs. 

“Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks,” according to the incident report. “Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions. 

Twilio declined to identify other victim organizations or provide additional information about who is believed to be behind the attacks. The services provider is working with law enforcement and a “leading forensics firm” as it continues to investigate the breach.

And, it added a reminder to customers: “Twilio will never ask for your password or ask you to provide two-factor authentication information anywhere other than through the portal.” ®