Twilio Customer Data Exposed after its Staffers got Phished

[upnorth]

Content source

https://www.theregister.com/2022/08/08/twilio_phishing_attack/

Twilio confirmed a breach of the communication giant's network and accessed "a limited number" of customer accounts after tricking some employees into falling for a phishing attack.

The company declined to respond to The Register's inquiries about how many customers' accounts were compromised and the type of data that the crooks stole, but the investigation is ongoing. Twilio said it first became aware of the breach on August 4, after current and former employees received text messages claiming to be from Twilio's IT department saying the employees' passwords were expired, or for some other reason they needed to log into a phony URL that looked like Twilio's sign-in page. In reality, however, the webpages were attacker-controlled sites, and once the employees entered their usernames and passwords, the crooks grabbed the credentials and used those to access Twilio's internal systems.

All of the text messages originated from US-carrier networks, and Twilio said it worked with the network operators and hosting providers to shut down the malicious accounts. "Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers," the cloud communication biz noted.

Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers including Lyft, American Red Cross, Salesforce, Twitter and VMware. But this incident wasn't alone, Twilio said, but part of a larger campaign.

Twilio customer data exposed after its staffers got phished

Comms giant says several other firms targeted in 'sophisticated attack'

www.theregister.com

 

[Numeriku]

omg all my 2fa is on twillio

 

[Kongo]

omg all my 2fa is on twillio

Same

 

[ScandinavianFish]

Another example as to why companies need to move to Zero Trust

 

[entropism]

I'm wondering what we can do to make sure we aren't affected here. Disable 2FA and re-enable it?

 

[show-Zi]

Even if the end user chooses a service with caution and vigilance, the service provider may depend on the service of another company. In Japan, banks and airlines use the services here.

 

[cryogent]

omg all my 2fa is on twillio

Same here.
I thought there would be no problems in the future when I chose Authy but since it was taken over by Twilio there seems to be more and more problems....
What other 2FA service could be Authy's replacement?

 

[Numeriku]

Same here.
I thought there would be no problems in the future when I chose Authy but since it was taken over by Twilio there seems to be more and more problems....
What other 2FA service could be Authy's replacement?

Bitwarden is the only other one I trust aside from authy but you need 10/yr for that feature, and many people say it is not advisable to merge together password manager and totp, I am just waiting for the email from Twilio if my account was compromised and I have to revoke all 200+ secrets.

Edit - If nothing else looks promising, I will possibly look to moving to Microsoft authenticator.

 

[upnorth]

At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.

It's impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company's use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.

Phishers who breached Twilio and fooled Cloudflare could easily get you, too

Unusually resourced threat actor has targeted multiple companies in recent days.

arstechnica.com

 

[CyberDevil]

What other 2FA service could be Authy's replacement?

Edit - If nothing else looks promising, I will possibly look to moving to Microsoft authenticator.

Lightning rarely strikes the same tree twice, I personally do not plan to replace Authy for something else, especially because, judging by the need to enter a password to decrypt + phone authentication, I really doubt that even the developers themselves have access to 2FA of users, if there are no special vulnerabilities, but I want to believe that not everyone in the world work for intelligence agencies

 

[Numeriku]

Lightning rarely strikes the same tree twice, I personally do not plan to replace Authy for something else, especially because, judging by the need to enter a password to decrypt + phone authentication, I really doubt that even the developers themselves have access to 2FA of users, if there are no special vulnerabilities, but I want to believe that not everyone in the world work for intelligence agencies

I totally forget that our backups on authy are encrypted

 

[CyberTech]

For those who are looking for a replacement

Multi-Factor Authenticators - Privacy Guides

These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.

www.privacyguides.org

I would go with Raivo (ONLY iOS as iPHONE & iPAD) but no support Windows ;/
As i posted a link that i'm waiting for someone who are expert of 2FA that can talk here..

#PrayForMT

Other tech news

Twilio, the company behind Authy suffered a data breach - gHacks Tech News

Twilio, the company which owns the popular 2FA service, Authy, has suffered a data breach. Here's what happened.

www.ghacks.net

 

[upnorth]

Nice hashtag, but not everyone use Authy. Still, I would be concerned as a customer and extra since what's actually been breached is not fully disclosed.

 

[R2D2]

This is worrying coz my wife and I use Authy. As with all closed source programs these guys are being coy about the impact on Authy users which I personally feel uncomfortable about. There are two options here one is changing backup passwords and or going through the process of migrating to another TOTP programme and hoping they are safe. As for changing passwords, I am not sure how effective that is given the hackers may have my data encrypted with the old password. Option two i.e. setting up on another TOTP app is gonna be a painful task.

For those interested here is their blog updated Aug 10th: Incident Report: Employee and Customer Account Compromise

 

[Kongo]

That's at least a little relieving...

 

[entropism]

I've been looking around for replacements, and nothing besides Google Authenticator or Microsoft Authenticator is free and multi-platform.

2FAS is close, but the cloud storage it uses is OS dependent. So iOS devices us iCloud storage and Android uses Google Drive. You can't sync an iPhone with an Android device, which is just so stupid I can't even comprehend the decision.

 

[ForgottenSeer 94943]

Personally, I stopped using Authy a long time ago. It was too much of a risk. I started using andOTP which is offline and open source and kept backups synced to Koofr. Now that andOTP is discontinued, I started using Aegis Authenticator.

Anyway regarding Twillo hack, Authy is just a small part of their business, and I am not sure if Authy Data is included. But better safe than sorry. I would disable all 2FA in all services and then enable them again, but using sth other than Authy. It could be your password manager or an Authenticator such as Aegis.

 

[R2D2]

So, I went ballistic and migrated my tokens to 2FAS on iOS first and followed by Aegis on Android. It took quite a bit of effort since I had nearly 90 tokens to migrate.

Authy users wanting to migrate can use a method shared on Github which works very well indeed. Hope Twilio doesn't update the code and mess it up. Generating Authy passwords on other authenticators

2FAS on iOS can also do a file backup to Dropbox. Just export the data say to Dropbox and reimport it into the app of your choice. Now Aegis can import 2FAS data so that was a piece of cake. I have not deleted my Authy tokens yet and will retain them for now.

 

[Kongo]

So, I went ballistic and migrated my tokens to 2FAS on iOS first and followed by Aegis on Android. It took quite a bit of effort since I had nearly 90 tokens to migrate.

Authy users wanting to migrate can use a method shared on Github which works very well indeed. Hope Twilio doesn't update the code and mess it up. Generating Authy passwords on other authenticators

2FAS on iOS can also do a file backup to Dropbox. Just export the data say to Dropbox and reimport it into the app of your choice. Now Aegis can import 2FAS data so that was a piece of cake. I have not deleted my Authy tokens yet and will retain them for now.

I actually think that I will stay with Authy. Let's hope they learned from that incident.

 

[R2D2]

And if that wasn't enough bad publicity for Twilio , phone numbers of 1900 signal users were also accessed. Way to go!

Signal phone numbers of 1,900 users exposed in Twilio phishing attack