Twilio hack investigation reveals second breach, because the variety of affected prospects rises • TechCrunch

U.S. messaging big Twilio confirmed it was hit by a second breach in June that noticed cybercriminals entry buyer contact data.

Affirmation of the second breach — carried out by the identical “0ktapus” hackers that compromised Twilio once more in August — was buried in an replace to a prolonged incident report that Twilio concluded on Thursday.

Twilio mentioned the “transient safety incident,” which occurred on June 29, noticed the identical attackers socially engineer an worker via voice phishing, a tactic whereby hackers make fraudulent telephone calls impersonating the corporate’s IT division in an effort to trick staff into handing over delicate data. On this case, the Twilio worker offered their company credentials, enabling the attacker to entry buyer contact data for a “restricted quantity” of shoppers.

“The risk actor’s entry was recognized and eradicated inside 12 hours,” Twilio mentioned in its replace, including that prospects whose data was impacted by the June Incident had been notified on July 2.

When requested by TechCrunch, Twilio spokesperson Laurelle Remzi declined to substantiate the precise variety of prospects impacted by the June breach and declined to share a replica of the discover that the corporate claims to have despatched to these affected. Remzi additionally declined to say why Twilio has solely simply disclosed the incident.

Twilio additionally confirmed in its replace that the hackers behind the August breach accessed the information of 209 prospects, a rise from 163 prospects it shared on August 24. Twilio has not named any of its impacted prospects, however some — like encrypted messaging app Sign — have notified customers that they had been affected by Twilio’s breach. The attackers additionally compromised the accounts of 93 Authy customers, Twilio’s two-factor authentication app it acquired in 2015.

“There isn’t any proof that the malicious actors accessed Twilio prospects’ console account credentials, authentication tokens, or API keys,” Twilio mentioned in regards to the attackers, which maintained entry to Twilio’s inside setting for 2 days between August 7 and August 9, the corporate confirmed.

The Twilio breach is a part of a wider marketing campaign from a risk actor tracked as “0ktapus,” which focused a minimum of 130 organizations, together with Mailchimp and Cloudflare. However Cloudflare mentioned the attackers did not compromise its community after having their makes an attempt blocked by phishing-resistant {hardware} safety keys.

As a part of its efforts to mitigate the efficacy of comparable assaults sooner or later, Twilio has introduced that it’s going to additionally roll out {hardware} safety keys to all staff. Twilio declined to touch upon its rollout timeline. The corporate says it additionally plans to implement further layers of management inside its VPN, take away and restrict sure performance inside particular administrative tooling, and improve the refresh frequency of tokens for Okta-integrated purposes.