Twilio employees tricked, customer details exposed

The attackers pretended to be Twilio's IT department

Image:
The attackers pretended to be Twilio's IT department

The attackers phished employees with warnings their passwords had expired

Cloud communications provider Twilio says threat actors were able to access some of its customers' data, after a successful social engineering attack led some employees to share their login credentials with cyber criminals.

Uber, Twitter, and Airbnb are among the companies that use Twilio, which enables web services to send SMS messages and make voice calls over telephone networks.

Twilio learned about the attack on the 4th August, saying in a statement: 'This broad based attack against [the] Twilio employee base succeeded in fooling some employees into providing their credentials.'

After obtaining access to some of Twilio's internal systems, the attackers used the stolen credentials to access customer data.

The attackers pretended to be Twilio's IT department and asked users to visit URLs with the terms 'Twilio,' 'Okta,' and 'SSO' to take them to a cloned Twilio sign-in page.

Links in the SMS phishing messages the attackers sent warned employees their passwords had expired or were about to be changed, encouraging them to clicking the links.

In certain instances, the messages addressed the employees by name.

The victims were prompted to enter their current credentials when they clicked the link, which threat actors harvested and used to log in to internal systems.

The SMS messages came from US carrier networks. Twilio worked with US carriers to shut down the attack, and also with the hosting companies serving the fraudulent URLs to stop those accounts from being used.

The company is working with law enforcement, but it has not yet been able to identify the attackers.

Twilio has begun contacting customers who may have been impacted and has revoked the employee accounts that were compromised during the hack, to deny the attackers access to its systems.

The firm claims several other businesses were the targets of similar attacks and that the perpetrators are still active.

The platform says it has reemphasised its security training and has released security advisories on the exact strategies used in the attack. It has also required staff to undergo additional awareness training on social engineering assaults.

The company says 'trust is paramount at Twilio' and that it knows 'the security of our systems is an important part of earning and keeping your trust.'

'We sincerely apologise that this happened.

'We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately,' Twilio added.