Over the weekend, the US-founded communications company, Twilio, disclosed that it suffered a data breach, after some of its employees fell for a sophisticated phishing scam.
Below, we’ll give you an overview of the security incident: what happened, who was impacted and how you can prevent the same thing happening in your organisation.
Quick background: Twilio
Twilio is a big name in the B2B communications space. The company provides communication and data management tools that businesses can use to enhance their interactions with customers. Twilio’s platform is feature rich, extending across voice SMS and email communications.
A lot of well known brands are Twilio customers, including household names like Deliveroo, Lyft and Coca Cola, amongst many others.
How did the Twilio data breach happen?
In this incident, an unknown threat actor used SMS phishing messages to dupe numerous Twilio employees into sharing their login credentials, which then enabled the attacker to access the company’s internal systems.
The SMS messages took the form of a phony text from Twilio’s IT department, notifying employees that their password had expired and needed to be updated. The texts also featured a fraudulent web page that looked like one from Okta – the company which Twilio uses for identity and access management, as shown below.
When employees clicked on the fake webpage, a few entered their details. However, rather than actually changing their password, these details were forwarded onto the threat actor, who then exploited them for their own use.
Twilio hasn’t disclosed exactly what the cyber criminals managed to exfiltrate once inside the company’s systems. In a blog post on the attack, Twilio stated that the malicious actors “were able to access certain customer data. We continue to notify and are working directly with customers who were affected by this incident. We are still early in our investigation, which is ongoing.”
A “well-organized, sophisticated and methodical” phishing attack
Further commenting on the attack, Twilio explained its belief that the threat actors responsible are highly-sophisticated. This is due to a number of factors, including:
- The cybercriminals knew that Twilio used Okta for identity and access management
- They were able to match employee names from sources with their phone numbers in order to create hyper-personalized phishing texts
- Once it spotted the attack, Twilio contacted network carriers to stop the malicious messages. However, it notes that the threat actors “continued to rotate through carriers and hosting providers to resume their attacks.”
As well as this, Twilio noted that it was not the only target of this attack campaign. It shared that “other companies were subject to similar attacks.”
I use Twilio; should I be worried?
After Twilio discovered the breach, it revoked access to the compromised accounts, which should have stopped the threat actors from further exploitation.
Saying this, the investigation into the attack is still ongoing right now and we simply don’t know the full extent of the damage done. Twliio has shared that it “has been notifying the affected customers on an individual basis with the details. If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.”
In this instance, this means no news is good news. However, it’s still worth keeping an eye on the story to see how it develops, especially as the breach has only just been unearthed.
What can we learn about this data breach for the future?
Given that this attack targeted multiple companies, it’s vital that all organisations consider the lessons to be learned.
Twilio itself said it has “reemphasized our security training to ensure employees are on high alert for social engineering attacks.” From our view, this is one of the most important takeaways for organizations: the importance of security awareness and training.
We’ve written before about what works and what doesn’t when it comes to employee training, but here are the key takeaways:
eLearning sessions and away days aren’t effective for improving security awareness. In fact, knowledge retention rates drop by more than 50% when training is more than two minutes.
Instead, you should integrate security awareness into your employee’s daily workflows. Polymer DLP, for example, offers in-app nudges that alert your employees to risky behaviors before they perform them, such as clicking on a phishing email or sharing sensitive data with a third-party.
You can find out more about our nudge solution here.