Investigation into the Twilio hack reveals a second breach as the number of customers affected rises

A second hack involving the theft of client contact information was disclosed by the U.S. messaging company Twilio in June.

An addendum to a long incident report that Twilio finished on Thursday revealed confirmation of the second breach, which was carried out by the same “0ktapus” hackers that penetrated Twilio again in August.

On June29, Twilio reported a “brief security incident” in which the same attackers used voice phishing—a technique in which hackers pose as the company’s IT department to lure employees into giving over sensitive information—to socially engineer one of their own. An unspecified number of Twilio customers’ contact information was compromised when an employee gave an attacker access to the company’s network.

According to Twilio’s latest update, “the threat actor’s access was found and eliminated within 12 hours,” and customers whose information was compromised in the June Incident were alerted on July 2.

TechCrunch requested Twilio for confirmation of how many customers were affected by the hack in June, but a representative named Laurelle Remzi declined to do so and also refused to provide a copy of the letter the business claimed to have given to individuals affected by the incident. Remzi also would not comment on why Twilio has just recently come forth with the news.

Twilio also revealed in its update that 209 customers were affected by the August incident, up from the 163 clients it disclosed on August 24. Although Twilio has not publicly identified the affected clients, some have informed their users, such as the encrypted messaging service Signal. 93 customers of Authy, a two-factor authentication app that Twilio bought in 2015, had their accounts hacked as well.

Even though the attackers had access to Twilio’s internal environment from August 7th through August 9th, the business has stated that there is “no indication that the bad actors gained the console account credentials, authentication tokens, or API keys” of its customers.

At least 130 companies were hit by the campaign led by the threat actor known as “0ktapus,” including Mailchimp and Cloudflare, where the breach at Twilio is only one example. However, Cloudflare said that the attackers’ efforts to breach its network were foiled by phishing-resistant hardware security keys.

Twilio has said that it will provide hardware security keys to all of its workers as part of its attempts to reduce the success of future assaults like this. When asked about when exactly its service will be available, Twilio said it would not be commenting. It also wants to enhance the frequency with which tokens for Okta-integrated applications are refreshed, as well as to introduce more levels of management within its VPN.