Twilio account breach result of sophisticated social engineering campaign

Man typing code on a laptop

Cloud communications platform Twilio has admitted that hackers gained access to some customer data last week after a social engineering attack handed internal login credentials to threat actors.

Twilio employees were subjected to phishing texts requesting that they change their company passwords, each including a link with the keywords “Twilio”, “Okta” and “SSO” to make the URLs look more legitimate.

If an employee clicked the link, they were asked for their current credentials, which the threat actors harvested and used to access internal systems.

In an incident report, Twilio stated that the attacks were halted after the company “worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.”

The phishing element of the breach was enhanced by social engineering on the part of the threat actors, who made the texts appear as if they were sent by the Twilio IT department. Texts also addressed employees by name in some examples.

The company also stated that it has heard first-hand that other companies were subjected to similar attacks, and that despite coordination with carrier networks the threat actors continue to operate. Investigations are ongoing.

The fact that former employees, as well as current employees, received the texts along with the threat actors’ reported ability to link phone numbers to individual names of employees, suggests a well-equipped operation backed by an understanding of the firm.

Twilio has been in touch with those customers whose data was potentially compromised and has no reason at this stage to suspect malicious activity outside of the accounts it has identified.

“We have reemphasized our security training to ensure employees are on high alert for social engineering attacks and have issued security advisories on the specific tactics being utilized by malicious actors since they first started to appear several weeks ago.

“We have also instituted additional mandatory awareness training on social engineering attacks in recent weeks. Separately, we are examining additional technical precautions as the investigation progresses.”

Social engineering attacks are difficult to mitigate because defence is only as strong as an individual’s ability to recognise something is wrong. There is little that security systems can do to protect a company's infrastructure if users are willing to give up their passwords over the phone, and clicking links sent from an unrecognised number carries a similar risk.

It is always best to double-check the origin of communications claiming to be from officials and to question requests to change your password. Two-factor authentication (2FA) can also be a good barrier between employees and unwanted login attempts.

“Phishing is an important component of social engineering,” stated Paul Brucciani, a cyber security advisor at WithSecure.

“Email recipients are more likely to be deceived by a phishing email read on a smartphone than a desktop machine. Other risk factors are time pressure and organisational change which makes it harder to discern whether the context of the email is appropriate (unusual requests are not regarded as suspicious by email recipients if they are not familiar with organisational changes that have been made).

"A well-crafted, untargeted phishing email can dupe as many as 30% of users in almost any organisation.”

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.