How the Twilio Breach Affects You
You may not know them, but you may know companies that use them.
A huge hat tip to TechCrunch's Carly Page who has been doing excellent work covering the Twilio attack, which, as Lando might say, gets worse and worse all the time. What's the background?
Twilio is most famous for helping companies-- like Facebook and Uber-- manage their customer text messaging-- including things like sending you a second factor by SMS. On August 8th, Twilio announced that attackers had phished login credentials from employees and accessed customer data for about 163 customers. Twilio did not publicize the company names, though some, like Signal, have notified users. If you're curious, here's how the phishing attack worked. It looks like the attackers used data aggregation services to get hold of employee names and phone numbers. They then sent targeted employees of Twilio text messages saying things like, the employee's passwords had expired or their schedule had changed-- and then prompting them to click a link to log in. Of course, that link went to a malicious site that captured the login credentials. Twilio worked with carriers and web hosts to stop the messages and shut down the malicious website. However, Thursday, single sign-on provider Okta noted that when the attackers had access to Twilio, they were able to access a small number of Okta customers' one-time passwords.
Even after being shut out of Twilio, the attackers kept rotating their accounts and targeting companies that used Okta's services. Singapore-based security company Group-IB told TechCrunch it believes the attackers have compromised 9,931 accounts at 130 companies since March, mostly in the US. Group-IB believes one participant in the attacker group may live in North Carolina. DoorDash has confirmed that attackers gained access to its internal tools and customer's and driver's names, email, phone numbers and delivery addresses. The company did not say how many accounts were accessed, only calling it a small percentage. DoorDash told TechCrunch that in its case, the attackers phished credentials from a third-party vendor that was not Twilio.
But wait, there's more. Twilio has also confirmed that Multi-factor Authentication code manager Authy was affected by the Twilio breach and attackers were able to access the accounts of 93 users and register additional devices. Authy provides a service to keep multi-factor codes in sync on multiple devices. For those 93 accounts, attackers would have been able to add a device and see the multi-factor codes for any accounts managed through Authy. Authy has since identified and removed the suspicious devices and advised affected users to disable multi-device support and review devices on their account.
Here are other tech stories this week I’ve been following. Paid users can get expanded details about them below. Thanks for your support!
- Mark Zuckerberg Says New VR Headset Coming in October
- It was a big week for Twitter (Musk lawsuit, podcasts and more)
- Nvidia Says Inventories High, Prices Coming Down
- T-Mobile Partners With Starlink For Cell Coverage from Space
- FitBit Announces Three New Trackers
- Amazon Announces Voice Control for Video Games
- Ethereum Proof of Stake Scheduled to Begin September 6th
- Apple Sets Event for Wednesday September 7th
- False Positive Causes Google Account Lockout, Google Will Not Change Its Decision
- Last Pass Codebase Breached
- YouTube Launches Podcast Hub
- Zencastr Adds Podcast Distribution Feature
- A Keurig for Growing Lettuce
- MoviePass is Back
- Apple Security Update Causes Panic Becaus eit Gave Details