The Californian-based cloud communication firm, Twilio, revealed that a new data breach that occurred last June was the same hackers behind a vishing attack a couple of months ago that affected their systems.
The newly discovered attack against the company was only a brief security incident based on the investigation. The intrusion was caused by a social engineering tactic against their employee, which the attacker tricked into acquiring credentials.
The actors used the acquired credentials from the user through a voice phishing (vishing) attack to access contact information for several customers.
Fortunately, the threat actor’s breach was quickly identified and removed within 24 hours. However, the company notified customers whose information was affected by the incident last June.
According to Twilio’s announcement, the culprits of the August incident had accessed the information of about 209 customers and 93 Authy users. The actors breached the company through an internal non-productions system using stolen employee credentials in a phishing attack.
The breached company also discovered zero evidence that the hackers used its customer’s console account credentials for nefarious purposes. Moreover, the attackers accessed stolen authentication tokens and API keys, but the company insisted that no abnormalities were found that could affect the users.
The company admitted that the attackers were able to establish persistence for a couple of more days after they disclosed the cybersecurity incident last August 7. The previously monitored unwanted activity in Twilio was on August 9.
Experts revealed that the attack on Twilio is part of a more massive cybercriminal campaign from a threat group called 0ktapus (also known as Scatter Swine), and at least 130 organisations are being targeted by the group, including Cloudflare, Klaviyo, and MailChimp.
In a similar incident, Cloudflare revealed that its workers had also experienced an identical SMS phishing attack, resulting in more stolen credentials. Fortunately, the stolen credentials were rendered useless after the company blocked them with hardware security keys.
Twilio has adopted a similar technique by resetting its compromised employee user accounts’ credentials and distributing FIDO2 tokens to all personnel.
