Twilio Employee and Customer Accounts Hacked in Text Scheme

William Turton, Bloomberg News

The website home screen for Twilio on a smartphone arranged in the Brooklyn borough of New York. , Bloomberg

(Bloomberg) -- Twilio Inc., which offers digital authentication solutions, said some of its employees and customers were hacked as part of a scheme in which outsiders duped employees into handing over their passwords.

San Francisco-based Twilio represents a ripe target for hackers, because access to its service could potentially enable hackers to access Twilio clients, or the particular accounts. The company said it became aware of the incident on Aug. 4.

“This broad-based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said in a blog post on Sunday. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

Twilio said it hasn’t identified the specific hackers responsible for the breach, and that it has hired a computer forensics firm to assist in remediation of the breach. Twilio said that other companies were also subject to attacks, though it didn’t identify any by name.

Attackers targeted the company’s employees with phony text messages stating that the staffers’ password credentials had expired. The texts included links to websites controlled by hackers that appeared to be legitimate. When employees entered their username and password into the website, hackers harvested that information.

In the past three days, hackers have been targeting companies that provide two-factor authentication services in an attempt to steal cryptocurrency, compromise telecommunications companies and breach customer relationship management portals, according to three computer security professionals tracking the scheme. The alleged hackers have a particular interest in SIM swapping, the people said, referring to a criminal tactic where hackers compromise telecommunications providers to gain control of a target’s phone number.

It’s not yet known if the same group of hackers are responsible for the breach of Twilio.

Twilio’s shares had increased by 2% at midday Monday.

“The social engineering method to gain access to credentials via text message to log in as the user and then steal data is becoming more common,” said Rachel Tobac, chief executive officer of SocialProof Security. “Cybercriminals starting the attack via text message can catch the victim off guard because many are used to hearing phishing as something that happens via email rather than text, and also gets the victim on a personal device with less protections.”

Security researchers noticed new websites being registered that bore similar names to the companies being targeted, including major telecommunication companies, cryptocurrency exchanges, and computer security companies. The websites were used to host fake pages designed to look like legitimate employee login portals. The researchers were able to link the fake domains because they were registered around similar times and had similar technical attributes.

In March, the two-factor authentication provider Okta Inc. was compromised by a group of hackers dubbed Lapsus$. The hacking group embarked on a spree of hacks, breaching major firms like Microsoft Corp. and Nvidia Corp. Bloomberg News later reported that the alleged mastermind behind the group was a teenager in England, who was later charged with computer crimes.

(Updates with Twilio value in eighth paragraph and a quote in ninth paragraph. A previous version of this story corrected a misspelling.)