Communication companies supplier Twilio this week disclosed that it skilled one other “temporary safety incident” in June 2022 perpetrated by the identical menace actor behind the August hack that resulted in unauthorized entry of buyer data.
The safety occasion occurred on June 29, 2022, the corporate mentioned in an up to date advisory shared this week, as a part of its probe into the digital break-in.
“Within the June incident, a Twilio worker was socially engineered via voice phishing (or ‘vishing’) to supply their credentials, and the malicious actor was in a position to entry buyer contact data for a restricted variety of prospects,” Twilio mentioned.
It additional mentioned the entry gained following the profitable assault was recognized and thwarted inside 12 hours, and that it had alerted impacted prospects on July 2, 2022.
The San Francisco-based agency didn’t reveal the precise variety of prospects impacted by the June incident, and why the disclosure was made 4 months after it passed off. Particulars of the second breach come as Twilio famous the menace actors accessed the information of 209 prospects, up from 163 it reported on August 24, and 93 Authy customers.
Twilio, which affords customized buyer engagement software program, has over 270,000 prospects, whereas its Authy two-factor authentication service has roughly 75 million complete customers.
“The final noticed unauthorized exercise in the environment was on August 9, 2022,” it mentioned, including, “There isn’t a proof that the malicious actors accessed Twilio prospects’ console account credentials, authentication tokens, or API keys.”
To mitigate such assaults sooner or later, Twilio mentioned it is distributing FIDO2-compliant {hardware} safety keys to all workers, implementing extra layers of management inside its VPN, and conducting necessary safety coaching for workers to enhance consciousness about social engineering assaults.
The assault towards Twilio has been attributed to a hacking group tracked by Group-IB and Okta underneath the names 0ktapus and Scatter Swine, and is a part of a broader marketing campaign towards software program, telecom, monetary, and training firms.
The an infection chains entailed figuring out cell phone numbers of workers, adopted by sending rogue SMSes or calling these numbers to trick them into clicking on faux login pages, and harvesting the credentials entered for follow-on reconnaissance operations throughout the networks.
As many as 136 organizations are estimated to have been focused, a few of which embody Klaviyo, MailChimp, DigitalOcean, Sign, Okta, and an unsuccessful assault geared toward Cloudflare.
