Same 0ktapus Hackers Likely Also Responsible for Earlier Breach
Customer engagement platform Twilio says the number of customers affected by a phishing campaign that coaxed employees of the San Francisco company into permitting attackers to bypass multifactor authentication protections will stand at a final tally of 209.
The company was one of a handful targeted this summer by campaign dubbed 0ktapus or Scatter Swine that fooled employees with authentic-appearing multifactor logon pages delivered via an SMS text telling the recipient to change their password (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort). The fake pages captured login data including one-time verification codes, allowing attackers entry into the company network.
Twilio has steadily ratcheted upward the number of customers affected by the breach, at first disclosing in August that 125 customers had their data accessed by the malicious actors. The finally tally will be 209 companies, Twilio said Thursday. The company says it has a customer base of more than 270,000 companies.
It also says it found no evidence that the attackers accessed console account credentials, authentication tokens, or API keys.
The final report says the hackers gained unauthorized access to only “some internal non-production systems.” Other companies including identity and access management provider Okta say attackers were able to harvest phone numbers and one time passwords pertaining to their customers.
Twilio says the last observed unauthorized activity occurred on August 9, after which the company has beefed up its security measures.
The company also disclosed that on June 29, there was a similar incident in which a Twilio employee gave up login credentials during a phone phishing, or vishing, incident. Twilio pulled the threat actor’s access within 12 hours. The same threat actor was likely responsible for both incidents.
In the aftermath of the breach, Twilio reset all compromised credentials and employee accounts, blocked indicators of comprise related to the attack and requested the takedown of all observed typosquatted Twilio domains.
To avoid a repeat of such a malicious activity in future, Twilio has implemented a host of additional security features including:
- Distribution of FIDO2 tokens to all employees for stronger two-factor authentication;
- Additional layers of control on the company VPN;
- Restricted functionality on specific administrative tools;
- Increased refresh frequency of tokens for Okta-integrated applications;
- Mandatory security training for all employees.