Twilio Customer Data Exposed after its Staffers got Phished

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Twilio confirmed a breach of the communication giant's network and accessed "a limited number" of customer accounts after tricking some employees into falling for a phishing attack.

The company declined to respond to The Register's inquiries about how many customers' accounts were compromised and the type of data that the crooks stole, but the investigation is ongoing. Twilio said it first became aware of the breach on August 4, after current and former employees received text messages claiming to be from Twilio's IT department saying the employees' passwords were expired, or for some other reason they needed to log into a phony URL that looked like Twilio's sign-in page. In reality, however, the webpages were attacker-controlled sites, and once the employees entered their usernames and passwords, the crooks grabbed the credentials and used those to access Twilio's internal systems.

All of the text messages originated from US-carrier networks, and Twilio said it worked with the network operators and hosting providers to shut down the malicious accounts. "Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers," the cloud communication biz noted.
Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers including Lyft, American Red Cross, Salesforce, Twitter and VMware. But this incident wasn't alone, Twilio said, but part of a larger campaign.
 

Numeriku

Level 2
Verified
Mar 13, 2022
65
Same here.
I thought there would be no problems in the future when I chose Authy but since it was taken over by Twilio there seems to be more and more problems....
What other 2FA service could be Authy's replacement?

Bitwarden is the only other one I trust aside from authy but you need 10/yr for that feature, and many people say it is not advisable to merge together password manager and totp, I am just waiting for the email from Twilio if my account was compromised and I have to revoke all 200+ secrets.

Edit - If nothing else looks promising, I will possibly look to moving to Microsoft authenticator.
 

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
At least two security-sensitive companies—Twilio and Cloudflare—were targeted in a phishing attack by an advanced threat actor who had possession of home phone numbers of not just employees but employees' family members as well.

In the case of Twilio, a San Francisco-based provider of two-factor authentication and communication services, the unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company's internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts.

Two days after Twilio's disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company's use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
It's impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company's use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.
 

CyberDevil

Level 6
Verified
Well-known
Apr 4, 2021
252
What other 2FA service could be Authy's replacement?

Edit - If nothing else looks promising, I will possibly look to moving to Microsoft authenticator.
Lightning rarely strikes the same tree twice, I personally do not plan to replace Authy for something else, especially because, judging by the need to enter a password to decrypt + phone authentication, I really doubt that even the developers themselves have access to 2FA of users, if there are no special vulnerabilities, but I want to believe that not everyone in the world work for intelligence agencies :)
 

Numeriku

Level 2
Verified
Mar 13, 2022
65
Lightning rarely strikes the same tree twice, I personally do not plan to replace Authy for something else, especially because, judging by the need to enter a password to decrypt + phone authentication, I really doubt that even the developers themselves have access to 2FA of users, if there are no special vulnerabilities, but I want to believe that not everyone in the world work for intelligence agencies :)
I totally forget that our backups on authy are encrypted :eek:
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
For those who are looking for a replacement

I would go with Raivo (ONLY iOS as iPHONE & iPAD) but no support Windows ;/
As i posted a link that i'm waiting for someone who are expert of 2FA that can talk here..

#PrayForMT

Other tech news
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
This is worrying coz my wife and I use Authy. As with all closed source programs these guys are being coy about the impact on Authy users which I personally feel uncomfortable about. There are two options here one is changing backup passwords and or going through the process of migrating to another TOTP programme and hoping they are safe. As for changing passwords, I am not sure how effective that is given the hackers may have my data encrypted with the old password. Option two i.e. setting up on another TOTP app is gonna be a painful task.

For those interested here is their blog updated Aug 10th: Incident Report: Employee and Customer Account Compromise
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,481
That's at least a little relieving...

Screenshot 2022-08-12 134436.jpg
 

entropism

Level 4
Verified
Jul 30, 2019
177
I've been looking around for replacements, and nothing besides Google Authenticator or Microsoft Authenticator is free and multi-platform.

2FAS is close, but the cloud storage it uses is OS dependent. So iOS devices us iCloud storage and Android uses Google Drive. You can't sync an iPhone with an Android device, which is just so stupid I can't even comprehend the decision.
 
F

ForgottenSeer 94943

Personally, I stopped using Authy a long time ago. It was too much of a risk. I started using andOTP which is offline and open source and kept backups synced to Koofr. Now that andOTP is discontinued, I started using Aegis Authenticator.

Anyway regarding Twillo hack, Authy is just a small part of their business, and I am not sure if Authy Data is included. But better safe than sorry. I would disable all 2FA in all services and then enable them again, but using sth other than Authy. It could be your password manager or an Authenticator such as Aegis.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
So, I went ballistic and migrated my tokens to 2FAS on iOS first and followed by Aegis on Android. It took quite a bit of effort since I had nearly 90 tokens to migrate.

Authy users wanting to migrate can use a method shared on Github which works very well indeed. Hope Twilio doesn't update the code and mess it up. :) Generating Authy passwords on other authenticators

2FAS on iOS can also do a file backup to Dropbox. Just export the data say to Dropbox and reimport it into the app of your choice. Now Aegis can import 2FAS data so that was a piece of cake. I have not deleted my Authy tokens yet and will retain them for now.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,481
So, I went ballistic and migrated my tokens to 2FAS on iOS first and followed by Aegis on Android. It took quite a bit of effort since I had nearly 90 tokens to migrate.

Authy users wanting to migrate can use a method shared on Github which works very well indeed. Hope Twilio doesn't update the code and mess it up. :) Generating Authy passwords on other authenticators

2FAS on iOS can also do a file backup to Dropbox. Just export the data say to Dropbox and reimport it into the app of your choice. Now Aegis can import 2FAS data so that was a piece of cake. I have not deleted my Authy tokens yet and will retain them for now.
I actually think that I will stay with Authy. Let's hope they learned from that incident.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top