Communication
services
provider

Twilio
this
week
disclosed
that
it
experienced
another “brief
security
incident”
in
June
2022
perpetrated
by
the
same
threat
actor
behind
the

August
hack
that
resulted
in
unauthorized
access
of
customer
information.

The
security
event
occurred
on
June
29,
2022,
the
company
said
in
an
updated
advisory
shared
this
week,
as
part
of
its
probe
into
the
digital
break-in.

“In
the
June
incident,
a
Twilio
employee
was
socially
engineered
through
voice
phishing
(or ‘vishing’)
to
provide
their
credentials,
and
the
malicious
actor
was
able
to
access
customer
contact
information
for
a
limited
number
of
customers,”
Twilio

said.

It
further
said
the
access
gained
following
the
successful
attack
was
identified
and
thwarted
within
12
hours,
and
that
it
had
alerted
impacted
customers
on
July
2,
2022.

The
San
Francisco-based
firm
did
not
reveal
the
exact
number
of
customers
impacted
by
the
June
incident,
and
why
the
disclosure
was
made
four
months
after
it
took
place.
Details
of
the
second
breach
come
as
Twilio
noted
the
threat
actors
accessed
the
data
of
209
customers,
up
from
163
it
reported
on
August
24,
and

93
Authy
users.

Twilio,
which
offers
personalized
customer
engagement
software,
has
over
270,000
customers,
while
its
Authy
two-factor
authentication
service
has
approximately
75
million
total
users.

“The
last
observed
unauthorized
activity
in
our
environment
was
on
August
9,
2022,”
it
said,
adding, “There
is
no
evidence
that
the
malicious
actors
accessed
Twilio
customers’
console
account
credentials,
authentication
tokens,
or
API
keys.”

To
mitigate
such
attacks
in
the
future,
Twilio
said
it’s
distributing
FIDO2-compliant
hardware
security
keys
to
all
employees,
implementing
additional
layers
of
control
within
its
VPN,
and
conducting
mandatory
security
training
for
employees
to
improve
awareness
about
social
engineering
attacks.

The
attack
against
Twilio
has
been
attributed
to
a
hacking
group
tracked
by
Group-IB
and
Okta
under
the
names

0ktapus
and

Scatter
Swine,
and
is
part
of
a
broader
campaign
against
software,
telecom,
financial,
and
education
companies.

The
infection
chains
entailed
identifying
mobile
phone
numbers
of
employees,
followed
by
sending
rogue
SMSes
or
calling
those
numbers
to
trick
them
into
clicking
on
fake
login
pages,
and
harvesting
the
credentials
entered
for
follow-on
reconnaissance
operations
within
the
networks.

As
many
as
136
organizations
are
estimated
to
have
been
targeted,
some
of
which
include
Klaviyo,
MailChimp,
DigitalOcean,

Signal,
Okta,
and
an
unsuccessful
attack
aimed
at

Cloudflare.