communication service provider Twilio revealed this week that another “brief security incident” occurred in June 2022. This was carried out by the same attackers as the August hack and resulted in unauthorized access to customer information.
The security event occurred on June 29, 2022, the company said in its latest advisory shared this week as part of its investigation into a digital intrusion.
โIn the June incident, a Twilio employee was socially engineered to provide credentials via voice phishing (or โvishingโ), and malicious actors were given customer contact information for a limited number of customers. We got access,” said Twilio. Said.
It further states that the access gained after the successful attack was identified, contained within 12 hours, and affected customers were alerted on July 2, 2022.
The San Francisco-based company has not disclosed the exact number of customers affected by the June incident, nor why the disclosure was made four months after the incident occurred. Details of the second leak came after he pointed out to Twilio that the threat actor had access to the data of 209 of his customers. This is up from his 163 reported on Aug. 24, and his 93 Authy users.
Twilio, a provider of personalized customer engagement software, has over 270,000 customers, and the Authy two-factor authentication service has a total of approximately 75 million users.
“The last known malicious activity in our environment was August 9, 2022,” he said, adding that “a malicious actor compromised a Twilio customer’s console account credentials, authentication tokens, or API keys. There is no evidence of access,” he added.
To mitigate such attacks in the future, Twilio will distribute FIDO2-compliant hardware security keys to all employees, implement additional layers of control within VPNs, and increase awareness of social engineering attacks. says it conducts mandatory security training for its employees.
The attacks against Twilio are by hacking groups tracked by Group-IB and Okta under the names 0ktapus and Scatter Swine, and are part of a broader campaign against software, telecom, financial, and education companies.
In the infection chain, it identifies employee mobile phone numbers and then sends malicious SMS or calls to those numbers to trick them into clicking on fake login pages for subsequent reconnaissance operations within the network. I had to collect the entered credentials.
An estimated 136 organizations were targeted, including failed attacks targeting Klaviyo, MailChimp, DigitalOcean, Signal, Okta, and Cloudflare.