IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Twilio account breach result of sophisticated social engineering campaign

Employees were subjected to personalised texts that impersonated Twilio's IT department, in a strategic credential harvesting operation

Man typing code on a laptop

Cloud communications platform Twilio has admitted that hackers gained access to some customer data last week after a social engineering attack handed internal login credentials to threat actors.

Twilio employees were subjected to phishing texts requesting that they change their company passwords, each including a link with the keywords “Twilio”, “Okta” and “SSO” to make the URLs look more legitimate.

If an employee clicked the link, they were asked for their current credentials, which the threat actors harvested and used to access internal systems. 

In an incident report, Twilio stated that the attacks were halted after the company “worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.”

The phishing element of the breach was enhanced by social engineering on the part of the threat actors, who made the texts appear as if they were sent by the Twilio IT department. Texts also addressed employees by name in some examples.

The company also stated that it has heard first-hand that other companies were subjected to similar attacks, and that despite coordination with carrier networks the threat actors continue to operate. Investigations are ongoing.

The fact that former employees, as well as current employees, received the texts along with the threat actors’ reported ability to link phone numbers to individual names of employees, suggests a well-equipped operation backed by an understanding of the firm.

Twilio has been in touch with those customers whose data was potentially compromised and has no reason at this stage to suspect malicious activity outside of the accounts it has identified.

“We have reemphasized our security training to ensure employees are on high alert for social engineering attacks and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago.

“We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”

Social engineering attacks are difficult to mitigate because defence is only as strong as an individual’s ability to recognise something is wrong. There is little that security systems can do to protect a company's infrastructure if users are willing to give up their passwords over the phone, and clicking links sent from an unrecognised number carries a similar risk.

It is always best to double-check the origin of communications claiming to be from officials and to question requests to change your password. Two-factor authentication (2FA) can also be a good barrier between employees and unwanted login attempts. 

“Phishing is an important component of social engineering,” stated Paul Brucciani, a cyber security advisor at WithSecure.

“Email recipients are more likely to be deceived by a phishing email read on a smartphone than a desktop machine. Other risk factors are time pressure and organisational change which makes it harder to discern whether the context of the email is appropriate (unusual requests are not regarded as suspicious by email recipients if they are not familiar with organisational changes that have been made).

"A well-crafted, untargeted phishing email can dupe as many as 30% of users in almost any organisation.”

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Escape the ransomware maze
Whitepaper

Escape the ransomware maze

23 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022
HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022