Olivia Cavallaro Tech 08.08.2022 21:Aug PM EDT

Twilio Confirms Data Breach: Here's What You Should Know

A phishing attack on employees enabled attackers to breach the company's internal systems.

Communications company Twilio confirmed on Sunday that an SMS phishing attack that enabled attackers to steal employee credentials resulted in a breach of the organization's internal systems. Attackers used the stolen employee data to access internal systems and certain client data, resulting in the Twilio data breach.

Twilio, which is a company that allows web services to send SMS messages and conduct voice calls over phone networks, is used by firms such as Uber, Twitter, and Airbnb. The company was founded in 2008 in Seattle, Washington by Jeff Lawson, Evan Cooke, and John Wolthuis.

The cloud communications company took to their official blog to share details of the Twilio data breach, recounting how they were first alerted of the unauthorized access to information on August 4. The company described it as a "sophisticated social engineering attack" meant to gather employee data and use it to gain access to internal systems.

How Did the Attacker Gain Access to Employee Information at Twilio?

According to The Verge, the bad actor behind the Twilio data breach sent SMS messages to employees of the company and asked them to reset their password or informed them of a change in schedule. The text messages included a link with keywords such as "Twilio," "SSO" or single sign-on, and "Okta," the name of the user authentication service used by a number of companies.

The link would then lead Twilio employees to a page that looked like a real Twilio sign-in page, where the hackers collected the information that employees input on the page. Upon realizing the hacking scheme, Twilio coordinated with American phone carriers to shut down the SMS chain and asked web hosting platforms to take down the fake sign-in pages.

However, Twilio data breach hackers had already managed to swap to new hosting providers and mobile carriers to carry out their devious campaign.

What Was the Scale of the Attack on Twilio?

While the company said that there had been unauthorized access to a "limited number" of customer accounts, the company's EMEA Communications Director Katherine James declined to offer more information when asked how many employees' accounts were affected by the Twilio data breach.

James also did not comment on how many customers were affected by the unauthorized access, saying that the communications company has "no additional comment to provide at this time beyond what is posted in the blog," Bleeping Computer reported.

Twilio confirmed, however, that the SMS employees received were from US carrier networks and that they have heard from other companies that fell victim to similar attacks recently. The company has not yet identified the actors behind the Twilio data breach but are already working with law enforcement for the investigation on the attack.

The company also confirmed that they have been notifying affected customers of the Twilio data breach and speaking to them "on an individual basis with the details." This is not the first time the company was targeted by a cyberattack.

In May 2021, Twilio was also affected by the Codecov supply-chain attack, in which bad actors modified the legitimate Codecov Bash Uploader tool and used it to steal credentials, secret keys, and user tokens from Codecov customers.