Twilio had disclosed that unknown hackers managed to deceive several of its employees into providing their credentials and offering the criminals a way into their infrastructure through a smishing attack.
“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials,” said the company in an announcement.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio added. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
The threat actors sent SMS text messages to current and former employees of Twilio, saying that they were from the IT department. Employees were informed that their passwords had expired or that the schedule had changed.
“The URLs used words including ‘Twilio,’ ‘Okta,’ and ‘SSO’ to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page,” the company said in its announcement.
The victims were then redirected to a fake Twilio sign-in page, where they handed their actual credentials to the hackers. Surprisingly, the attack was quite sophisticated, as the attackers had a method to match employee names from sources with their phone numbers.
After gaining access, the threat actors accessed a limited volume of account data, so the company has notified potential victims. The investigation into the attack is still ongoing, and Twilio said that other companies have suffered similar problems.