admin Communication providers supplier Twilio this week disclosed that it skilled one other “transient safety incident” in June 2022 perpetrated by the identical risk actor behind the August hack that resulted in unauthorized entry of buyer info.
The safety occasion occurred on June 29, 2022, the corporate stated in an up to date advisory shared this week, as a part of its probe into the digital break-in.
“Within the June incident, a Twilio worker was socially engineered by voice phishing (or ‘vishing’) to supply their credentials, and the malicious actor was capable of entry buyer contact info for a restricted variety of clients,” Twilio said.
It additional stated the entry gained following the profitable assault was recognized and thwarted inside 12 hours, and that it had alerted impacted clients on July 2, 2022.
The San Francisco-based agency didn’t reveal the precise variety of clients impacted by the June incident, and why the disclosure was made 4 months after it happened. Particulars of the second breach come as Twilio famous the risk actors accessed the information of 209 clients, up from 163 it reported on August 24, and 93 Authy users.
Twilio, which presents customized buyer engagement software program, has over 270,000 clients, whereas its Authy two-factor authentication service has roughly 75 million complete customers.
“The final noticed unauthorized exercise in the environment was on August 9, 2022,” it stated, including, “There isn’t any proof that the malicious actors accessed Twilio clients’ console account credentials, authentication tokens, or API keys.”
To mitigate such assaults sooner or later, Twilio stated it is distributing FIDO2-compliant {hardware} safety keys to all staff, implementing extra layers of management inside its VPN, and conducting obligatory safety coaching for workers to enhance consciousness about social engineering assaults.
The assault towards Twilio has been attributed to a hacking group tracked by Group-IB and Okta underneath the names 0ktapus and Scatter Swine, and is a part of a broader marketing campaign towards software program, telecom, monetary, and schooling firms.
The an infection chains entailed figuring out cell phone numbers of staff, adopted by sending rogue SMSes or calling these numbers to trick them into clicking on faux login pages, and harvesting the credentials entered for follow-on reconnaissance operations throughout the networks.
As many as 136 organizations are estimated to have been focused, a few of which embrace Klaviyo, MailChimp, DigitalOcean, Signal, Okta, and an unsuccessful assault aimed toward Cloudflare.
