Communications provider Twilio this week revealed that it experienced another “short security incident” in June 2022 caused by the same threat actor behind the August hack that resulted in unauthorized access to customer information.
The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of a probe into digital hacks.
“In the June incident, a Twilio employee was engineered by society through voice (or ‘display’) phishing to provide their login information, and the malicious person could have can access customer contact information for a limited number of customers.”
It also said access gained after a successful attack was identified and prevented within 12 hours, and it warned of the effects affecting customers on July 2, 2022.
The San Francisco-based company did not disclose the exact number of customers affected by the June incident and why the disclosure came four months after it took place. Details of the second breach came as Twilio noted that threat actors had access to the data of 209 customers, up from 163 reported on August 24 and 93 Authy users.
Twilio, which offers personalized customer engagement software, has more than 270,000 customers, while its service two-factor authentication Authy has a total of about 75 million users.
“The most recent observed unauthorized activity in our environment was on August 9, 2022,” it said, “There is no evidence that malicious actors have accessed login credentials. console account, auth token, or a Twilio client API key.”
To mitigate such attacks in the future, Twilio said it is distributing FIDO2-compliant hardware security keys to all employees, implementing additional layers of control within its VPN, and conducting mining. Create mandatory security for employees to raise awareness of social engineering attacks.
The attack against Twilio is attributed to a hacking group tracked by Group-IB and Okta under the names 0ktapus and Scatter Swine, and is part of a broader campaign against software, telecommunications, and financial companies. government and education.
The chain of infection requires the identification of the phone number mobile employees, followed by sending fake SMS messages or calling those numbers to trick them into clicking on fake login pages and collecting credentials to carry out network espionage.
An estimated 136 organizations were targeted, some of which include Klaviyo, MailChimp, DigitalOcean, Signal, Okta, and a failed attack against Cloudflare.