Cloud Security, Vulnerability Management, Data Security

SMS phishing nabs Twilio employee credentials, allowed access to customer data

A screen image of a sample SMS phishing message received by a Twilio employee. (via Twilio)

Twilio, a cloud-based communications platform, said a limited number of customer accounts were accessed after a sophisticated phishing attack successfully stole employee credentials.

The company said it first became aware of unauthorized access to customer account information on Aug. 4, acknowledging in a blog posted Aug. 7 that the broad-based attack succeeded in fooling some employees into giving their login credentials. 

The San Francisco-based company said it was investigating the incident and is notifying affected customers. Some of the clients of the customer engagement platform include Salesforce, Dell, Twitter and Airbnb.

The company’s security team said current and former employees recently reported getting text messages that claimed to be from its IT department suggesting that their passwords had expired or that their schedule changed. The attacker-controlled link provided in the text contained words such as  “Twilio,” “Okta,” and “SSO” to trick users to sign into an impersonated Twilio login page. 

The threat actors were able to match employee names from sources with their phone numbers, according to the blog post, and that Twilio has worked with U.S. carriers and providers to shut down the malicious accounts and URLs. In spite of working with carriers to stop the messages, Twilio security said the threat actors have rotated carriers and providers to continue their attacks.

The compromised employee accounts have had their access revoked and Twilio said it has reemphasized its security training for employees. 

Erfan Shadabi, a cybersecurity expert with data security specialists comforte AG, said adopting a zero-trust framework is one of the best ways to mitigate phishing attacks such as the one used against Twilio employees.

"'Zero trust' means you assume you’ve already been breached, provide no implicit trust, verify again and again, and only provide minimal privileges upon successful authentication," Shadabi said. "... Positive trends such as zero-trust architectures, supported by more data-centric protection methods (protecting the data itself rather than the borders around it), can really help in the long run.”

The attackers have not been identified, but the company said they have heard from other companies that were subject to similar attacks and that Twilio is working with law enforcement. 

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.
Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

You can skip this ad in 5 seconds