Twilio data breach turns out to be more elaborate than suspected

Posted: August 29, 2022 by Pieter Arntz

Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed.

In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Outisde of Twilio, the identity authentication company Okta revealed that the data of some Okta customers was accessible to a threat actor, as well. And Signal tweeted that they, too, had been affected by the Twilio breach.

Authy

Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts by double-checking the login attempt via a dedicated app, after typing in the login credentials.

By gaining access to 2FA data, the malicious actors gained access to the accounts of 93 individual Authy users and registered additional devices to their accounts. Twilio says that it has now removed such devices from accounts.

Okta

Okta has determined that a small number of mobile phone numbers and associated SMS messages containing one-time passwords (OTPs) were accessible to the threat actor via the Twilio console. A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. OTPs typically expire after a short period (up to one minute).

Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.

Signal

Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation. Twilio provides Signal with phone number verification services. As a result of the attack on Twilio, Signal warned that for 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. These 1,900 users were notified directly, and prompted to re-register.