Privacy Ninja

Twilio: 125 Customers Affected by Data Breach, No Passwords Stolen

Twilio: 125 Customers Affected by Data Breach, No Passwords Stolen

Cloud communications giant Twilio, the owner of the highly popular two-factor authentication (2FA) provider Authy, says that it has so far identified 125 customers who had their data accessed during a security breach discovered last week.

The company added the attackers behind this incident weren’t able to gain access to the affected clients’ authentication information.

“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” Twilio revealed in an update to the original disclosure.

“There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization.”

The attackers gained access to Twilio’s network using credentials belonging to multiple employees, stolen in an SMS phishing attack.

Also Read: Top 10 Main Reasons for Outsource Website Development

After discovering the intrusion, Twilio revoked the compromised employee credentials to block the attackers’ access to its systems and started notifying affected customers.

The company also asked several U.S. mobile carriers to shut down the accounts used to deliver the phishing messages, but the threat actors switched to new accounts and resumed their attacks.

SMS phishing message sent to Twilio employees
SMS phishing message sent to Twilio employees (Twilio)

Coordinated SMS phishing campaign

Twilio said that it coordinated its account takedown requests with other tech companies that have also been targeted in similar attacks.

Cloudflare, whose employees also had their credentials stolen in a similar SMS phishing attack, said the attackers failed to breach its systems after their login attempts were blocked because its employees are using company-issued FIDO2-compliant hardware security keys.

“While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement,” Cloudflare explained.

Also Read: Understanding The Data Intermediary In Data Protection

Twilio also disclosed in May 2021 that it was affected by last year’s Codecov supply-chain attack where threat actors trojanized the legitimate Codecov Bash Uploader tool to steal credentials and secret keys from Codecov customers.

It provides programmable voice, text, chat, video, and email APIs used by over 10 million developers at 150,000 companies (including Coca-Cola, Salesforce, Dell, Twitter, VMware, Uber, Stripe, and eBay) to build customer engagement platforms.

In February 2015, Twilio also acquired Authy, a popular two-factor authentication (2FA) provider for end users and enterprises with millions of users worldwide.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us