Twilio, which enables online merchants to send texts and call customers, confirmed a phishing attack that has enabled hackers to illegally access its internal systems, exposing client data. While the extent of the breach remains unknown, data stolen from Twilio could make customers of its clients, which include major online providers like Airbnb, Twitter and Uber, vulnerable to fraud attacks including account takeovers (ATO).
According to a company blog post, attackers targeted Twilio employees with a “sophisticated social engineering attack,” texting them that the employee's passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including "Twilio," "Okta," and "SSO" to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page.
A recent report from cybersecurity provider SpyCloud found a significant increase in the exposure of login credentials and personally identifiable information (PII) belonging to employees of Fortune 1000 companies. The study also found a 64 percent password reuse rate.
Twilio stressed in its statement that the attack was only able to access “a limited number of accounts’ data.
“We have been notifying the affected customers on an individual basis with the details,” the company said. “If you are not contacted by Twilio, then it means we have no evidence that your account was impacted by this attack.”
Learn more about ATO...