Twilio admits that it experienced yet another data breach

It has been confirmed by Twilio that the same threat actor was responsible for the data breach that occurred in August 2022 and resulted in the theft of customer information data.

After weeks of investigation, Twilio claims it has finally concluded its search for the truth about what happened and has revealed in a follow-up blog post that the same malicious actor had also compromised its systems in late June 2022.

Whereas the August incident was enabled by a smishing attack, the June incident was carried out via vishing, or voice phishing.

Theft of sensitive customer information

According to the company, “in the June incident, a Twilio employee was socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information for a subset of customers.” In addition, it claimed that the hacker was neutralised in under a day and that all affected parties were informed by July 2.

Attackers used smishing to steal login credentials for internal, non-production systems and endpoints, Twilio said, and then used those credentials to launch an attack in August. There, they discovered information for 209 customers and 93 Authy users.

Twilio reported that 209 customers, out of a total of 270,000, and 93 Authy end users, out of an estimated 75 million, were affected by the incident. The investigation also revealed that it’s highly unlikely that users’ console credentials, API keys, or authentication tokens were compromised.

Although the incident was reported by the company on August 7th, the company has since learned that the hackers remained for an additional two days. On August 9, 2022, “the last observed unauthorised activity in our environment was,” the firm said.

The report claims that the attack on Twilio was part of a larger cybercrime campaign orchestrated by a group calling themselves Scatter Swine (AKA 0ktapus). MailChimp and CloudFlare were among the at least 130 companies affected.