The San Francisco-headquartered cloud communication enterprise Twilio recently disclosed it had suffered a data breach. According to the company, the breach occurred after attackers stole employee credentials that enabled them to breach its internal systems.

A statement from the communications company stated:

“On August 4, 2022, Twilio became aware of unauthorised access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

With over 5,000 employees based in 26 offices across 17 different countries, Twillio delivers programmable voice, chat, text, email and video APIs utilised by more than 150,000 businesses and 10 million developers to construct customer engagement platforms.

In 2015, Twilio acquired Authy, a popular multi-factor authentication provider for developers, enterprises and end users, which is used by millions worldwide.

Targeted phishing attacks on enterprise employees

Twilio has revealed that the threat operator behind the breach gained access to its network after tricking multiple employees and stealing their credentials during a targeted phishing incident. The phishing campaign involved the malicious actors impersonating Twilio’s dedicated IT department in text messages. It requested they click on links that contained the keyword “Twilio”. When used, the links redirected the employees to a cloned webpage that resembled the genuine Twilio sign-in page.

To add urgency and incite action, the SMS phishing messages urged Twilio’s personnel to click on the embedded links to resolve an issue with their passwords expiring.

EMEA Communications Director at Twilio Katherine James was unable to confirm how many employees’ accounts had been compromised during the phishing attack, nor how many customers had been impacted by the breach.

Investigating a phishing attack

After looking into the incident, Twilio discovered that the SMS phishing messages originated from carrier networks based in the US. Working closely with US carriers and hosting providers, Twilio shut down the malicious actors’ messaging campaign, including the accounts associated with the attacks.

To date, the cloud communication company has not yet identified the attackers responsible for the incident. However, as part of its continuing investigation, Twilio is collaborating with American law enforcement agencies.

Measures taken since the attack have involved Twilio revoking the staff accounts that were compromised. This move was designed to block the threat operator’s access to the company’s systems. It has also begun notifying members of its customer base who were impacted by this breach. A spokesperson for Twilio commented:

“As the threat actors were able to access a limited number of accounts’ data, we have been notifying the affected customers on an individual basis with the details.”

The firm also disclosed that back in May 2021, it was affected by the Codecov supply-chain attack that took place. The attack involved threat actors modifying the legitimate tool known as Codecov Bash Uploader to steal user credentials, tokens and secret keys from customers of Codecov.