Key Points
- Threat actors socially engineered Two Twilio employees, which led to a Twilio breach.
- The Twilio breach not only affected its customers, but also affected other companies such as Signal through omnichannel services.
- The threats represented can severely impact third-party supply chains and organizations through omnichannel services.
Twilio, a communication SaaS provider, pushes out SMS, social, mobile, and much more at high volumes. However, like any other SaaS application in this current era, Twilio is susceptible to nefarious cybersecurity attacks by threat actors.
In this blog post, let’s examine how the Twilio breach happened and why it concerns your organization.
The Twilio Breach
On August 4, 2022, a sophisticated social engineering attack designed to steal employee credentials breached Twilio. Threat actors socially engineered two of their employees, leading to the attackers leveraging the stolen credentials to gain access to Twilio’s internal systems and steal customer data.
At the time of publishing this article, further investigation of the Twilio breach is still underway, and only Signal had raised a downstream breach. Some researchers are tying it to the Lapsus$ Okta breach, but there has been no confirmation of the attackers’ identity.
The attackers rotate through phone carriers to send the messages, and one TWILIO employee was confirmed to have used a malicious URL, which allowed the attackers to phish the employee. The phishing message appeared to be sent from the Twilio IT department to “reset their account password.” The attackers used specific keywords like “Okta” and “SSO” within the message to make it more urgent and alluring.
Why It Concerns Your Organization
Twilio and many other major organizations use SMS messaging and social media platforms to advertise products, respond to customers, and broaden their consumer base. However, it only took two Twilio employees to respond to the phishing attempt for an attacker to gain access to their systems.
The Twilio breach highlights a pressing issue of how threat actors exploit human employees as a weakness to an organization’s cybersecurity. Companies cannot afford to rely on employees to identify increasingly complex social engineering scams. Threat actors have become more sophisticated with their social engineering attack methods. They continue to leverage human psychology to sneak into businesses, stealing information and doing damage.
The Omnichannel Threat
According to Signal, a user of Twilio’s services, around 1,900 of its users have been potentially affected by the Twilio breach, with phone numbers and SMS verification codes potentially exposed to the hackers. This is the effect of successful social engineering attack methods on an omnichannel service.
A successful phishing attack can lead to a breach of customers’ personal data (including, but not limited to, other organizations that utilize your services). It also leads to negative brand reputational risks, fraud, and regulator concerns, since the platform that originally distributes content has been weaponized.
Mandiant has also been engaged, and it's bigger than Twilio customers who were phished, so we can expect more news in the coming days.
According to multiple reports, the attackers sent the messages through phone carriers. So we decided to perform our own investigation and found two of the URLs used in the wild. As referenced above, attackers faked a phishing message to make it appear from the “TWILIO IT” department to reset their password, using keywords to confuse victims and make them think the message was legitimate.
Here are the URLs used:
Twilio-sso .com
Twilio-okta .com
In these domains, there were fake pages used for credential stealing by the attackers.
SafeGuard Cyber Offers Protection
SafeGuard Cyber has dozens of customers in that space, including well-known fortune 500 financial service companies that utilize our solution to protect and secure their omnichannel, including their Twilio services.
SafeGuard Cyber also covers organizations’ social media accounts, detecting attacks coming from an omnichannel threat and protecting the channel used to promote such services, which include LinkedIn, Instagram, Twitter, and Microsoft email channels.
Learn more here about how you can avoid incidents like the Twilio breach.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.