Communication services provider Twilio this week disclosed that it experienced another “brief security incident” in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.
The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of its probe into the digital break-in.
“In the June incident, a Twilio employee was socially engineered through voice phishing (or ‘vishing’) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers,” Twilio said.
It further said the access gained following the successful attack was identified and thwarted within 12 hours, and that it had alerted impacted customers on July 2, 2022.
The San Francisco-based firm did not reveal the exact number of customers impacted by the June incident, and why the disclosure was made four months after it took place. Details of the second breach come as Twilio noted the threat actors accessed the data of 209 customers, up from 163 it reported on August 24, and 93 Authy users.
Twilio, which offers personalized customer engagement software, has over 270,000 customers, while its Authy two-factor authentication service has approximately 75 million total users.
“The last observed unauthorized activity in our environment was on August 9, 2022,” it said, adding, “There is no evidence that the malicious actors accessed Twilio customers’ console account credentials, authentication tokens, or API keys.”
To mitigate such attacks in the future, Twilio said it’s distributing FIDO2-compliant hardware security keys to all employees, implementing additional layers of control within its VPN, and conducting mandatory security training for employees to improve awareness about social engineering attacks.
The attack against Twilio has been attributed to a hacking group tracked by Group-IB and Okta under the names 0ktapus and Scatter Swine, and is part of a broader campaign against software, telecom, financial, and education companies.
The infection chains entailed identifying mobile phone numbers of employees, followed by sending rogue SMSes or calling those numbers to trick them into clicking on fake login pages, and harvesting the credentials entered for follow-on reconnaissance operations within the networks.
As many as 136 organizations are estimated to have been targeted, some of which include Klaviyo, MailChimp, DigitalOcean, Signal, Okta, and an unsuccessful attack aimed at Cloudflare.