Twilio ‘smishing’ attack compromised around 125 corporate clients, including Signal

Smishing, baby. Communications tool giant Twilio, which provides text and phone services to over 250,000 corporate customers ranging from Facebook to the American Red Cross, suffered a serious breach of its systems after unknown parties bombarded its employees with sham password reset requests via text.

According to Twilio’s incident report, the firm was compromised by what’s known as a “smishing” (SMS phishing) attack on current and former employees—a method that is increasingly being used to target large businesses, as employer oversight of mobile devices is often lax.

In Twilio’s case, the bogus text messages supposedly came from the company’s IT department and informed the workers their company passwords had expired or their schedule had changed. Included in the texts was a URL (including words such as “Twilio,” “Okta,” and “SSO”) that superficially resembled Twilio’s actual login page. Instead, the link led to an attacker-controlled server designed to steal employee credentials. Twilio wrote in the report that the hackers had some method of pairing staff’s identities and roles to their phone number.

“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” Twilio wrote in a status update to the original report on August 11. “There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization.”

An expansive operation.

Cloudflare, a content delivery network and DDoS mitigation company, disclosed this month that it was subject to a near-identical attack around the same time as Twilio. According to Cloudflare, the fake URL page asked users to enter their Cloudflare Okta usernames and passwords, as well as a time-based one-time password (TOTP) code, a form of two-factor authentication. Unknown to the users, the attackers planned to quickly enter the logins and passwords into Cloudflare’s actual system, prompting it to text real codes to the employees that could be collected via the fake page.

Fortunately, Cloudflare reported, just three employees clicked the link. No systems were actually accessed by the hackers, as the company relies on FIDO2-compliant physical security keys rather than TOTP.

Downstream consequences.

According to TechCrunch, encrypted messaging app Signal disclosed this week that the Twilio breach had allowed hackers to access phone numbers and SMS verification codes for around 1,900 users—apparently seeking out three users in particular (one of whom being a Motherboard reporter). Signal said that the attacker proceeded to reregister one of those three accounts, which potentially could have allowed them to impersonate the original number.

That attack was apparently possible because Signal relies on Twilio to transmit its verification codes, and the hackers briefly had access to Twilio’s customer support system. This has troubling implications for any organization relying on SMS authentication to control access, as the third-party vendors that actually handle the requests are a potential weak point in the verification chain.

“What I find frightening goes beyond the implications for Signal. Any platform or service can be manipulated to hand over verification credentials to an attacker,” Freedom of the Press Foundation’s CISO and digital security director Harlo Holmes told Motherboard. “And despite the protections various services put in place to protect our accounts once we’ve been verified, it is at this point when these accounts are the most vulnerable to takeover.”

Hot this week

The Illusion of AI in Cybersecurity

AI security tools often create alert fatigue instead of protection, but focusing on human oversight and measured deployment can turn them into effective assets.

The Overlooked Risk of Shadow IT

Shadow IT poses a greater risk than many external threats by bypassing security controls, and managing it effectively requires understanding employee needs rather than simply blocking unauthorized tools.

Why Cloud Misconfigurations Threaten Your Business

Cloud misconfigurations are the leading cause of data breaches, yet most organizations focus on advanced threats instead of fixing basic security hygiene in their cloud environments.

The Human Factor in Cybersecurity Breaches

Human error is the root cause of most cybersecurity breaches, and addressing it through training and awareness is more effective than relying solely on technical solutions.

Why Password Managers Fall Short in Modern Security

Password managers are useful tools but not complete solutions for modern security, requiring a layered approach that includes multi-factor authentication and employee education to prevent breaches.

Topics

The Illusion of AI in Cybersecurity

AI security tools often create alert fatigue instead of protection, but focusing on human oversight and measured deployment can turn them into effective assets.

The Overlooked Risk of Shadow IT

Shadow IT poses a greater risk than many external threats by bypassing security controls, and managing it effectively requires understanding employee needs rather than simply blocking unauthorized tools.

Why Cloud Misconfigurations Threaten Your Business

Cloud misconfigurations are the leading cause of data breaches, yet most organizations focus on advanced threats instead of fixing basic security hygiene in their cloud environments.

The Human Factor in Cybersecurity Breaches

Human error is the root cause of most cybersecurity breaches, and addressing it through training and awareness is more effective than relying solely on technical solutions.

Why Password Managers Fall Short in Modern Security

Password managers are useful tools but not complete solutions for modern security, requiring a layered approach that includes multi-factor authentication and employee education to prevent breaches.

The Myth of Perfect Security

Perfect security is a myth, and focusing on resilience rather than prevention can better protect your organization from inevitable breaches.

Why Traditional Passwords Are Failing Us

Password fatigue from complex rules often causes more security breaches than weak passwords, requiring a shift toward user-friendly tools and behaviors.

Why Your Employees Are Your Best Security Defense

Empowering employees with security awareness training often provides better protection than stacking more technology, turning human factors from a weakness into your strongest defense.
spot_img

Related Articles

Popular Categories