Cisco Duo warns third-party data breach exposed SMS MFA logs

Update 4/16/24: Added Cisco's statement below.

Cisco Duo's security team warns that hackers stole some customers' VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider.

Cisco Duo is a multi-factor authentication and Single Sign-On service used by corporations to provide secure access to internal networks and corporate applications.

Duo's homepage reports that it serves 100,000 customers and handles over a billion authentications monthly, with over 10,000,000 downloads on Google Play.

In emails sent to customers, Cisco Duo says an unnamed provider who handles the company's SMS and VOIP multi-factor authentication (MFA) messages was compromised on April 1, 2024.

The notice explains that a threat actor obtained employee credentials through a phishing attack and then used those credentials to gain access to the telephony provider's systems.

The intruder then downloaded SMS and VoIP MFA message logs associated with specific Duo accounts between March 1, 2024, and March 31, 2024.

"We are writing to inform you of an incident involving one of our Duo telephony suppliers (the "Provider") that Duo uses to send multifactor authentication (MFA) messages via SMS and VOIP to its customers," reads the notice sent to impacted customers.

"Cisco is actively working with the Provider to investigate and address the incident. While the investigation is ongoing, the following is a summary of the incident based on what we have learned to date."

The provider confirmed that the threat actor did not access any contents of the messages or use their access to send messages to customers.

However, the stolen message logs do contain data that could be used in targeted phishing attacks to gain access to sensitive information, such as corporate credentials.

The data contained in these logs includes an employee's:

• Phone number
• Carrier
• Location data
• Date
• Time
• Message type

When the impacted supplier discovered the breach, they invalidated the compromised credentials, analyzed activity logs, and notified Cisco accordingly. Additional security measures were also implemented to prevent similar incidents in the future.

The vendor provided Cisco Duo with all of the exposed message logs, which can be requested by emailing msp@duo.com to help better understand the scope of the breach, its impact, and the appropriate defense strategy to take.

Cisco also warns customers impacted by this breach to be vigilant against potential SMS phishing or social engineering attacks using the stolen information.

"Because the threat actor obtained access to the message logs through a successful social engineering attack on the Provider, please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters," concludes the notification from Cisco's Data Privacy and Incident Response Team.

"Please also consider educating your users on the risks posed by social engineering attacks and investigating any suspicious activity."

The FBI warned last year that threat actors were increasingly using SMS phishing and voice calls in social engineering attacks to breach corporate networks.

In 2022, Uber was breached after a threat actor performed an MFA fatigue attack on an employee and then contacted them on WhatsApp via their phone numbers, pretending to be IT help desk personnel. This eventually led to the target allowing the hackers to log into the account and gain access to Uber's systems.

Cisco has not disclosed the supplier's name and the number of customers impacted by this incident. BleepingComputer contacted Cisco with further questions but a reply was not immediately available.

Update 4/16/24: Cisco told BleepingComputer that the incident affected approximately 1% of Duo's customers. As the company claims to have 100,000 users, this incident impacted approximately 1,000 people.

"Cisco is aware of an incident involving a single telephony supplier that sends Duo multifactor authentication (MFA) messages via SMS and VOIP to recipients based in North America," Cisco told BleepingComputer.

"Cisco is actively working with the supplier to investigate and address the incident. Based on information received from the supplier to date, we assessed that approximately 1% of Duo’s customers were impacted.  Our investigation is ongoing, and we are notifying affected customers via our established channels as appropriate."