Twilio Suffers Information Breach After Workers Fall Sufferer to SMS Phishing Assault

Data Breach

Buyer engagement platform Twilio on Monday disclosed {that a} “subtle” menace actor gained “unauthorized entry” utilizing an SMS-based phishing marketing campaign aimed toward its employees to realize data on a “restricted quantity” of accounts.

The social-engineering assault was bent on stealing worker credentials, the corporate mentioned, calling the as-yet-unidentified adversary “well-organized” and “methodical of their actions.” The incident got here to mild on August 4.

“This broad primarily based assault towards our worker base succeeded in fooling some workers into offering their credentials,” it mentioned in a discover. “The attackers then used the stolen credentials to realize entry to a few of our inner programs, the place they had been in a position to entry sure buyer information.”


The communications large has 268,000 lively buyer accounts, and counts corporations like Airbnb, Field, Dell, DoorDash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk amongst its purchasers. It additionally owns the favored two-factor authentication (2FA) service Authy.

Twilio, which continues to be persevering with its investigation into the hack, famous it is working straight with clients who had been impacted. It did not disclose the dimensions of the assault, the variety of worker accounts that had been compromised, or what sorts of information might have been accessed.

Phishing schemes, each leveraging electronic mail and SMS, are identified to lean on aggressive scare ways to coerce victims into handing over their delicate data. That is no exception.

SMS Phishing Attack

The SMS messages are mentioned to have been despatched to each present and former workers masquerading as coming from its IT division, luring them with password expiry notifications to click on on malicious hyperlinks.

The URLs included phrases resembling “Twilio,” “Okta,” and “SSO” (quick for single sign-on) to extend the possibility of success and redirected the victims to a phony web site that impersonated the corporate’s sign-in web page. It is not instantly clear if the breached accounts had been secured by 2FA protections.


Twilio mentioned the messages originated from U.S. provider networks and that it labored with the telecom service and internet hosting suppliers to close down the scheme and the assault infrastructure used within the marketing campaign. The takedown efforts, nevertheless, have been offset by the attackers migrating to different carriers and internet hosting suppliers.

“Moreover, the menace actors appeared to have subtle talents to match worker names from sources with their cellphone numbers,” it famous.

The San Francisco-based agency has since revoked entry to the compromised worker accounts to mitigate the assault, including it is analyzing extra technical safeguards as a safety measure.

The disclosure arrives as spear-phishing continues to be a significant menace confronted by enterprises. Final month, it emerged that the $620 million Axie Infinity hack was the consequence of one in all its former workers getting tricked by a fraudulent job supply on LinkedIn.

Supply hyperlink

Leave a Comment

Your email address will not be published.