Digital communications platform Twilio was hacked after a phishing campaign tricked its employees into revealing their credentials (through TechCrunch). The company disclosed the data breach in a post on his blog, noting that only “a limited number” of customer accounts were affected by the attack. Twilio enables web services to send text messages and make voice calls over telephone networks and is used by companies such as Uber, Twitter and Airbnb.
The hack took place on August 4 and involved a bad actor who sent text messages to Twilio employees asking them to reset their passwords or notifying them of a change in their schedule. Each message contained a link with keywords such as “Twilio,” “SSO” (single sign-on), and “Okta,” the name of the user authentication service used by many companies. The link led employees to a page that mimicked a real Twilio login page, allowing hackers to collect the information employees entered there.
After becoming aware of the breach, Twilio teamed up with US phone companies to shut down the texting scheme and also had web hosting platforms remove the fake login pages. Despite this, Twilio says hackers have managed to switch to new hosting and mobile carriers to continue their campaign.
“Based on these factors, we have reason to believe that the threat actors are well-organized, sophisticated and methodical,” added Twilio. “Socially manipulated attacks are – by their very nature – complex, sophisticated and built to challenge even the most sophisticated defenses.”
Twilio is working with law enforcement to find out who is responsible for the campaign and says it has also heard of companies that have been “victims of similar attacks”. Twilio has since cut off access to the compromised employee accounts and will also warn all customers affected by the breach.
Social engineering is becoming an increasingly common tactic for hackers. Earlier this year, a report by Bloomberg revealed that both Apple and Meta shared data with hackers posing as law enforcement officers. Last year, a hacker tricked a Robinhood customer service representative into revealing the information of more than 7 million customers.