Twilio’s client base includes Pittsburgh, New York City and various state, local and federal agencies, according to reseller partner Carahsoft. The services help agencies communicate with residents through various channels, Carahsoft and Twilio said in a May 2022 press release.
Intruders started trying to trick employees into revealing their account credentials “several weeks ago,” according to the company’s blog post. Some of these ploys succeeded, and perpetrators then used the logins to access several of Twilio’s internal systems, and through that, customer data. The firm discovered the breach on Aug. 4.
Twilio Corporate Communications Director Cris Paden told GovTech the firm had no comment on whether public-sector clients were among those impacted by the breach. Paden also said the firm had no comment about the type of customer data compromised or likely number of impacted customers.
The social engineering attacks against Twilio employees continue, per the blog post. The firm said it removed access to the compromised accounts and warned staff to stay wary. A forensics company is helping investigate the incident, and Twilio said it has also been in communication with law enforcement.
“We are still early in our investigation, which is ongoing,” the blog states.
The firm has started reaching out individually to impacted customers, per its blog post.
Pittsburgh and New York City did not respond by press time about whether they were affected.
Perpetrators have been impersonating Twilio’s IT department in text messages sent to both former and current employees. The messages are designed to trick employees into disclosing their account credentials, by directing them to enter their logins on webpages that look legitimate but actually belong to the fraudsters.
“Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls,” Twilio’s blog states. “The URLs used words including ‘Twilio,’ ‘Okta,’ and ‘SSO’ to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page.”
Twilio said the messages were particularly persuasive because they addressed employees with the correct names, used legitimate-seeming website URLs and “originated from U.S. carrier networks.”
The firm is not yet aware who is behind this activity and said other companies are reporting similar attacks.
Twilio collaborated with U.S. carriers and hosting providers to stop fraudsters’ texts and shut down their imitation webpages, per its blog post. But perpetrators have shifted to using other carriers and other hosting providers to continue attacks.
Twilio said it revoked access from the compromised accounts and, when it started seeing the phishing attempts, began assigning more social engineering awareness training to employees and alerting them about the attackers’ particular methods.