Twilio, the communications giant, has confirmed that hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials.
The company, based in San Francisco, allows users to build voice and SMS capabilities, such as two-factor authentication (2FA), into applications, said that it became aware that someone gained “unauthorised access” to information related to some Twilio customer accounts on 4th August. These findings were published in a blog post on Monday 9th.
Twilio has more than 150,000 corporate customers, including Uber and Facebook.
The threat actor has not yet been identified.
The attack used SMS phishing messages that claimed to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed. The text advised the target to log in using the spoofed web address provided.
Twilio said that these texts appeared to look legitimate and used specific jargon that companies use to secure access to their internal apps, such as “SSO”. Twilio stated that they worked with US carriers to stop the malicious messages, as well as registrars and hosting providers to shut down the malicious URLs used in the campaign.
The blog post added: “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks. Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their actions.”
It has not yet been disclosed as to how many customers have been affected or what data has been stolen.
The communication giant has said that since the attack it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for similar social engineering attacks. Affected customers are being contacted on an individual basis.
Erfan Shadabi, Cybersecurity Expert at comforte AG, noted: “Many of the data breaches we have seen in the past few months have human error lurking within their backstories. Phishing is a type of cybercrime in which victims are contacted by an attacker posing as a trustworthy entity in order to obtain sensitive information or data, such as login credentials, credit card details, or other personally identifiable information.
“One of the best approaches to mitigate such attacks is to adopt the Zero Trust framework.”