Enterprise communications firm Twilio has concluded its investigation into the recent data breach and revealed on Thursday that its employees were targeted in smishing and vishing attacks on two separate occasions.
On August 7, Twilio revealed that it had detected unauthorized access to information related to customer accounts a few days earlier. A probe revealed that the breach was a result of an SMS phishing (smishing) attack targeting the company’s employees.
At around the same time, Cloudflare said it had also been targeted and a few weeks later it came to light that the companies were targeted as part of a massive phishing campaign that hit over 130 organizations. The attackers appeared to be financially motivated.
Twilio has now concluded its investigation. The company says the attackers were locked out of its systems on August 9 and that only 209 of its more than 270,000 customers were impacted, as well as 93 of 75 million Authy end user accounts. There is no evidence that the threat actors accessed Twilio customer console account credentials, authentication tokens or API keys.
Twilio’s final report reveals that the same threat actor was likely also responsible for an attack that targeted the company in late June. The firm described it as a “brief security incident” that involved voice phishing (vishing). The attackers used social engineering to trick an employee into handing over their credentials, which they used to access the contact information of a limited number of customers.
Twilio claims the hackers’ access was identified and shut down within 12 hours. Impacted users were notified in early July.
The breach discovered in August was a result of a smishing attack launched in mid-July, which involved hundreds of text messages being sent to the phones of current and former Twilio employees. The messages appeared to come from IT administrators and urged recipients to click on a link that took them to a fake Okta login page.
Some employees took the bait and entered their credentials on the phishing sites. The hackers then used these credentials to access internal tools and applications that allowed them to obtain certain customer information.