Twilio hacked by phishing campaign targeting internet companies

Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. 

The San Francisco-based company, which allows users to build voice and SMS capabilities — such as two-factor authentication (2FA) — into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to Twilio customer accounts on August 4.

In an update posted on August 11, Twilio confirmed that malicious actors accessed the data of 125 customers but has yet to confirm what data was accessed. Twilio’s privacy policy says the information it collects includes addresses, payment details, IP addresses and, in some cases, proof of identity.

Twilio has more than 150,000 corporate customers, including Facebook and Uber.

According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company’s internal systems. It

The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls. 

Twilio said that the attackers sent these messages to look legitimate, including words such as “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal apps. (Okta was itself hit by a breach earlier this year, which saw hackers gain access to its internal systems.) Twilio said it worked with U.S. carriers to stop the malicious messages, as well as registrars and hosting providers to shut down the malicious URLs used in the campaign.

But the company said the threat actors seemed undeterred. “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks,” Twilio’s blog post said. “Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions.”

TechCrunch has since learned that the same actor also set up phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, though what impact on these organizations — if any — isn’t currently known.

Twilio said since the attack, it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for social engineering attacks. The company said it has begun contacting affected customers on an individual basis.

Updated with figures provided by Twilio.