Twilio suffers data breach after its employees were targeted by a phishing campaign

Digital communication platform Twilio was hacked after a phishing campaign tricked its employees into revealing their login credentials (via TechCrunch). The company disclosed the data breach in a post on its blog, noting that only “a limited number” of customer accounts were affected by the attack. Twilio allows web services to send SMS messages and place voice calls over telephone networks and is used by companies including Uber, Twitter, and Airbnb.

The hack occurred on August 4th and involved a bad actor sending SMS messages to Twilio employees that asked them to reset their password or alerted them to a change in their schedule. Each message included a link with keywords, like “Twilio,” “SSO” (single sign-on), and “Okta,” the name of the user authentication service used by many companies. The link directed employees to a page that mimicked a real Twilio sign-in page, allowing hackers to collect the information employees inputted there.

After it became aware of the breach, Twilio worked with US phone carriers to shut down the SMS scheme and also had web hosting platforms take down the phony sign-in pages. Despite this, Twilio says that hackers managed to swap to new hosting providers and mobile carriers to continue their campaign.

“Based on these factors, we have reason to believe the threat actors are well-organized, sophisticated and methodical in their action,” Twilio adds. “Socially engineered attacks are — by their very nature — complex, advanced, and built to challenge even the most advanced defenses.”

Twilio’s working with law enforcement to find out who’s responsible for the campaign and says it also heard from companies that “were subject to similar attacks.” Twilio has since shut down access to the compromised employee accounts and will also alert any customers affected by the breach.

Social engineering is becoming an increasingly common tactic for hackers. Earlier this year, a report from Bloomberg revealed that both Apple and Meta shared data with hackers pretending to be law enforcement officials. Last year, a hacker tricked a Robinhood customer service representative into disclosing the information of over 7 million customers.