Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed.
In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Outisde of Twilio, the identity authentication company Okta revealed that the data of some Okta customers was accessible to a threat actor, as well. And Signal tweeted that they, too, had been affected by the Twilio breach.
Authy
Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts by double-checking the login attempt via a dedicated app, after typing in the login credentials.
By gaining access to 2FA data, the malicious actors gained access to the accounts of 93 individual Authy users and registered additional devices to their accounts. Twilio says that it has now removed such devices from accounts.
Okta
Okta has determined that a small number of mobile phone numbers and associated SMS messages containing one-time passwords (OTPs) were accessible to the threat actor via the Twilio console. A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. OTPs typically expire after a short period (up to one minute).
Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.
Signal
Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation. Twilio provides Signal with phone number verification services. As a result of the attack on Twilio, Signal warned that for 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. These 1,900 users were notified directly, and prompted to re-register.
Signal’s tweet about the Twilio breach
Scatter Swine
The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.
In this campaign, spanning recent months, a number of technology companies were subject to persistent phishing attacks by a threat actor that you will see referred to as Scatter Swine or Oktapus. This threat actor is known to repeatedly target the same organizations with multiple phishing attacks within a matter of hours.
In the Twilio case, the threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization. A review of logs provided by Twilio revealed that the threat actor was seeking to expand their access. It is likely that the threat actor used credentials previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for OTPs sent in those challenges.
Mitigation
If you are a user of any of the services mentioned above, you should have been notified if your account was affected, but it doesn’t hurt to check the advice and details about the attack on their respective sites.
- Authy: enable or disable Authy multi-device
- Okta: ScatterSwine
- Signal: Twilio incident: what Signal users need to know
- MailChimp: information about a recent security incident targeting crypto companies
One general piece of advice is to be extra vigilant about “new device added” notifications from any provider. This could be a warning signal that a threat actor is trying to intercept 2FA messages or OTPs that are intended for you.