Twilio said hackers managed to access the data of a number of customers after stealing employee login details in a phishing campaign.
US cloud communications giant Twilio suffered a data breach after employees were tricked into sharing their login credentials through a phishing scam.
Twilio said it became aware that someone gained unauthorised access to information on its customer accounts on 4 August.
The company said it is in the early stages of investigation and has not revealed the extent of customer data that was accessed. The communications giant has more than 150,000 customers including Twitter, Airbnb and Stripe.
Twilio said it is notifying affected customers on an individual basis as only a “limited number” had their data accessed by the threat actors.
How did the data breach occur?
Twilio said current and former employees received text messages claiming to be from the company’s IT department. The texts said the employee’s passwords had expired or that their schedule had changed, with a URL link to update their password or see relevant changes.
This link led employees to a landing page that impersonated Twilio’s sign-in page, tricking some employees into sharing their login details with the attackers. The attackers then used these details to access the company’s internal systems.
Twilio said the messages were designed to look legitimate, with words such as ‘Okta’ and ‘SSO’ (single sign-on) in the URL.
“The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers,” Twilio said in a blogpost.
How did Twilio respond to the data breach?
Once detected, Twilio said its security team revoked access to the compromised employee accounts to try mitigate the attack.
The company said it has “reemphasised” its security training to ensure employees are on high alert for social engineering attacks. It has also issued security advisories on the specific tactics that were used in this incident.
Twilio said it is working with a forensics firm to aid the ongoing investigation.
“We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately,” Twilio said.
Who is behind the attack?
Twilio has not yet identified the specific threat actors, but is working with law enforcement on the matter.
The company said it has worked with US carrier-hosting providers to stop the text messages going to employees and shut down the malicious sites.
However, Twilio said the threat actors have managed to rotate through carriers and hosting providers to resume their attacks. The cloud company added that the attackers are “well-organised, sophisticated and methodical in their actions”.
What can be done to guard against these kind of phishing attacks?
There are various ways that a phishing attack can occur, such as texts and emails that link to a fake website and encourage someone to enter details such as a password or other credentials.
Jamie Moles, senior technical manager at cybersecurity provider ExtraHop, said attackers don’t need to be sophisticated or smart when users are willing to click on links from unsolicited emails and SMS messages.
“They continue to leverage phishing attacks because clearly they still work,” Moles said. “While scammers prey on the trusting element of human nature, organisations should also think about how their technology investments support their education and awareness efforts.”
Moles said organisations spend around 75pc of their security budget on prevention tools, but added that it is “only a matter of time” before a breach occurs.
He said firms should adopt a defensive playbook to stop attacks before they can access or encrypt critical data. “It’s time to think beyond the prevention box when it comes to phishing,” Moles added.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.