Twilio hackers have hit more than 130 organisations in massive campaign

26 Aug 2022

Image: © Tomasz Zajda/

Group-IB said the credentials of almost 10,000 employees have been compromised by the ‘0ktapus’ campaign, which has been active since at least March.

The hackers responsible for the recent Twilio data breach have also compromised more than 130 organisations in a phishing campaign of “unprecedented” scale, according to cybersecurity company Group-IB.

It said the credentials of almost 10,000 employees have been compromised as a result of phishing attacks.

The campaign has been codenamed ‘0ktapus’ by Group-IB, as the threat actors commonly impersonate Okta and target organisations that use the identity management provider.

Group-IB began its investigation after one of its customers was targeted by a phishing attack. This incident was found to be linked to the recent attacks on Twilio and Cloudflare. Other victims include Klaviyo and Mailchimp.

Pivoting through the supply chain

Group-IB said the phishing campaign is “simple yet very effective” and has been active since at least March 2022.

The primary goal of the hackers was to obtain Okta identity credentials and two-factor authentication codes from users of the targeted organisations, Group-IB said. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

“It is still unknown how fraudsters prepared their target list and how they obtained the phone numbers,” Group-IB said in its report.

“However, according to the compromised data analysed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks.”

It added that once the attackers compromise an organisation, they are able to quickly “pivot and launch subsequent supply chain attacks”.

For example, after the hackers breached Twilio, the messaging service Signal warned 1,900 users that their phone numbers were potentially exposed. An attacker could have attempted to re-register these numbers to another device

Food delivery platform DoorDash said in a statement that one of its third-party vendors was targeted and that “certain personal information” was affected.

The full scale is unknown

Of the 136 victim organisations identified by Group-IB, 114 are in the US. The list also includes companies that are headquartered in other countries but have US-based employees that were targeted. Most of the targeted companies provide IT, software development and cloud services.

Group-IB has informed the affected organisations and sent on its report to law enforcement groups, but noted that the full scale of the campaign is still unknown.

Rustam Mirkasymov, Group-IB Europe’s head of cyber threat research, said the methods used by the threat actors are “not special”, but the planning and ability to pivot between companies makes the campaign “worth looking into”.

“0ktapus shows how vulnerable modern organisations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers,” Mirkasymov said.

“By making our findings public, we hope that more companies will be able to take preventive steps to protect their digital assets.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic