Cloud communications company Twilio disclosed a new data breach stemming from a June 2022 security incident where the same attackers behind the August hack accessed some customers’ information.
Twilio says this was a “brief security incident” on June 29. The attacker used social engineering to trick an employee into handing over their credentials in a voice phishing attack.
The stolen credentials were then used “to access customer contact information for a limited number of customers.”
“The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022,” the company revealed on Thursday.
209 customers affected by the August breach
Twilio also shared that hackers behind the August breach had accessed the data of 209 customers and 93 Authy end users after breaching some internal non-production systems using employee credentials stolen in an SMS phishing attack.
“209 customers – out of a total customer base of over 270,000 – and 93 Authy end users – out of approximately 75 million total users – had accounts that were impacted by the incident,” Twilio said.
After concluding the incident investigation, Twilio also found no evidence that any of its customers’ console account credentials, API keys, or authentication tokens were also accessed.
While the company disclosed the incident on August 7, it now revealed the attackers maintained access to this environment for two more days.
“The last observed unauthorized activity in our environment was on August 9, 2022,” the company added.
Large-scale coordinated SMS phishing campaign
As Twilio said after the August incident, the attackers gained access to its network using employee credentials stolen in an SMS phishing attack.
Once inside Twilio’s systems, the hackers accessed customer data using administrative portals, accessed Authy 2FA accounts and codes, and registered their own devices to obtain temporary tokens.
The Twilio data breach is part of a more extensive campaign from a threat actor tracked as Scatter Swine or 0ktapus that targeted at least 130 organizations, including MailChimp, Klaviyo, and Cloudflare.
Cloudflare, which also disclosed that its employees had their credentials stolen in a similar SMS phishing attack, said the attackers failed to breach its systems after having their login attempts blocked by company-issued FIDO2-compliant hardware security keys.
As a result of the June and August breaches, Twilio says it reset the credentials of the compromised employee user accounts and is distributing FIDO2 tokens to all employees.