Phone numbers and other data belonging to users of Cisco Duo’s identity authentication service have been stolen following the breach of a third-party telephony supplier.
Cisco Duo provides organizations with multi-factor authentication (MFA) and single sign-on (SSO) network access.
According to its website, the service (which was acquired by Cisco in 2018) has over 100,000 customers whose users make more than a billion authentication requests each month.
In an email to affected customers, Cisco’s data privacy and incident response team said a threat actor gained access on April 1 to the internal systems of a telephony company Duo uses to send MFA messages via SMS and automated voice calls.
The breach enabled the threat actor to download logs of SMS messages sent to certain users between March 1 and March 31.
“The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.),” the email said.
The breach occurred following a successful phishing attack against an employee who worked for the third-party telephony company, which Cisco did not name in the email.
However, Cisco did say that the third-party provider’s investigation into the breach confirmed the hackers did not send any messages to any of the phone numbers in the logs.
“The Provider also started implementing measures to prevent similar incidents from occurring in the future and additional technical measures to further mitigate the risk associated with social-engineering attacks.”
Roger Grimes, data-driven defense evangelist at KnowBe4, said the breach had provided the hackers with a customer list and phone numbers, from which they could pick and choose who they wanted to attack.
“I’ve not learned of any breaches resulting from the compromise — yet — but anyone can easily imagine all sorts of spear phishing attacks, including SIM swapping attacks, where the attacker takes over the victim's phone number and any authentication confirmation or information messages get routed to the attacker instead.”
Grimes said social engineering and phishing were involved in 70% to 90% of successful cyberattacks.
“Despite that fact, almost no company spends even 5% of their IT/IT security budget to fight it. It is that fundamental misalignment between how most companies are successfully attacked and how we defend that allows hackers and their malware creations to be so continually successful for decades.”