Why the Twilio Breach Cuts So Deep

The phishing attack on the SMS giant exposes the dangers of B2B companies to the entire tech ecosystem.
optical illusion of nestled smartphones isolated on red background
Photograph: fedcophotogrphy/Getty Images

The communication company Twilio suffered a breach at the beginning of August that it says impacted 163 of its customer organizations. Out of Twilio’s 270,000 clients, 0.06 percent might seem trivial, but the company's particular role in the digital ecosystem means that the fractional slice of victims had an outsize value and influence. The secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta are all Twilio customers that were secondary victims of the breach.

Twilio provides application programming interfaces through which companies can automate call and texting services. This could mean a system a barber uses to remind customers about haircuts and have them text back “Confirm” or “Cancel.” But it can also be the platform through which organizations manage their two-factor authentication text messaging systems for sending one-time authentication codes. Though it's long been known that SMS is an insecure way to receive these codes, it's definitely better than nothing, and organizations haven't been able to move away from the practice completely. Even a company like Authy, whose core product is an authentication code-generating app, uses some of Twilio's services.

The Twilio hacking campaign, conducted by an actor that has been called “0ktapus” and “Scatter Swine,” is significant because it illustrates that phishing attacks can not only provide attackers valuable access to a target network, but even kick off supply chain attacks, in which access to one company’s systems provides a window into those of their clients.

“I think this will go down as one of the more sophisticated long-form hacks in history,” said one security engineer who asked not to be named because their employer has contracts with Twilio. “It was a patient hack that was super-targeted yet broad. Pwn the multi-factor authentication, pwn the world.”

Attackers compromised Twilio as part of a massive yet tailored phishing campaign against more than 130 organizations in which attackers sent phishing SMS text messages to employees at the target companies. The texts often claimed to come from a company's IT department or logistics team and urged recipients to click a link and update their password or log in to review a scheduling change. Twilio says that the malicious URLs contained words like "Twilio," "Okta," or "SSO" to make the URL and the malicious landing page it linked to seem more legitimate. Attackers also targeted the internet infrastructure company Cloudflare in their campaign, but the company said at the beginning of August that it wasn't compromised because of its limits on employee access and use of physical authentication keys for logins. 

“The biggest point here is the fact that SMS was used as the initial attack vector in this campaign instead of email,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “We’ve started to see more actors pivoting away from email as initial targeting, and as text message alerts become more common within organizations it’s going to make these types of phishing messages more successful. Anecdotally, I get text messages from different companies I do business with all the time now, and that wasn’t the case a year ago.”

The hackers used their Twilio access to compromise 93 Authy accounts and authorize additional devices that the attacker controlled instead of the account owner. Authy has roughly 75 million users. Meanwhile, the Twilio breach potentially exposed 1,900 accounts on the encrypted communication app Signal, and attackers seem to have actually used the access to initiate takeovers of as many as three accounts. Because of how Signal is designed, attackers wouldn't have gotten access to a user's message history or contact list, but would have been able to impersonate the user and send messages while in control of the account.

On Thursday, the online food delivery service DoorDash announced that it suffered a breach of some internal systems and user data because one of its third-party service providers was compromised. “Based on our investigation, we determined the vendor was compromised by a sophisticated phishing attack,” DoorDash wrote in a statement. “The unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.” The marketing automation platform Mailchimp said earlier this month that it was breached in a phishing attack on its employees as well.

Researchers from the cybersecurity firm Group-IB said in a report on Thursday that it had identified and notified 136 organizations that seemed to be victims of the phishing campaign. Of those, 114 victim companies are based in the United States. And the researchers found that the majority of targets are cloud services, software development companies, or IT management firms. The findings underscore the seemingly thoughtful and targeted nature of the campaign to maximize impact by focusing on internet infrastructure and business management services that provide crucial support, including components of login authentication, for large clients.

“We are very disappointed and frustrated about this incident,” Twilio wrote in an update on August 10. “Trust is paramount at Twilio, and we recognize that the security of our systems and network is an important part of earning and keeping our customers' trust.”

Phishing has been an inveterate and consequential threat for years, playing a role in many impactful breaches around the world, including Russia's attack on the Democratic National Committee in 2016. But if the next phase of the trend is phishing-fueled supply chain attacks, the scale of the collateral damage will magnify in an unprecedented way.