Hackers Compromise Employee Accounts to Access Twilio Internal Systems

Hackers Compromise Employee Accounts to Access Twilio Internal Systems

Twilio says the threat actors behind the attack had “sophisticated abilities to match employee names from sources with their phone numbers.”

Twilio experienced a sophisticated social engineering attack on August 4th, 2022, which led to employee accounts being accessed by a malicious third party.

Relying on the stolen logins, the attackers went on to gain access to Twilio’s internal systems along with a limited number of Twilio customer accounts and their data, said the San Francisco, California-based cloud communication platform on Monday, August 8th.

According to Twilio, former and current employees of the company were hit by phishing attacks. The phishing links were sent through text messages (a technique called SMS Phishing or SMishing) supposedly from the company’s IT department.

As seen in the screenshot below, the sender(s) attempted to trick targeted employees into clicking links and login to update their Twilio employee passwords. The attackers used terms like Twilio,” “Okta,” and “SSO” to convince victims into opening the links.

Hackers Compromise Employee Accounts to Access Twilio Internal Systems
Screengrab: Twilio

It is worth noting that Twilio uses Okta for data security and other related solutions, while SSO refers to Single Sign-On which enables customers to allow their users to login to Twilio Console using their corporate Identity Provider (such as Azure Active DIrectory, Okta, Onelogin, etc) credentials.

The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.


In a blog post, Twilio said that the customers impacted by the breach are being contacted by Twilio while the incident is still being investigated with the help of “a leading forensics firm.” The company says it is taking steps to prevent similar incidents from happening in the future.

Employee Cyber Security Training is MUST

The insider threat has emerged as one of the most dangerous and ruthless threats to big as well as small businesses. It doesn’t have to be a malicious insider, an employee ignorant of basic cyber security and social engineering threats, is good enough to do the damage.

One such example includes GoDaddy, whose employees have a history of being compromised by giving away their most important login credentials. In November 2020, hackers targeted GoDaddy customers to modify the DNS settings of at least two cryptocurrency websites.

The investigations revealed that attackers breached GoDaddy’s internal systems by tricking two GoDaddy employees and obtaining control of their accounts.

Therefore, cybersecurity training is a must. Organizations serious about their customers’ data should focus on teaching employees on spotting phishing scams/attempts. Here are some quick tips:

  • Phishing attempts almost always contain a link, downloadable attachment, or directive telling people to do something ASAP.
  • There are often a lot of spelling mistakes, but not always.
  • The email or text message can instill a sense of urgency to get people to act quickly without thinking.
  • It may be a threat or even blackmail, as is the case with sextortion phishing scams.
  • The email signature will usually look strange or different from normal.
  • Despite all of the common telltale signs, phishing emails can look legitimate. Hackers can make spear phishing attacks that look like a known company, bank, or contractor sent the email. However, employees should use common sense to think about whether this email was warranted. Does it contain a link and is asking them to log onto their account for no reason? Most banks, for example, won’t send an email asking people to log into their accounts or send any links.
  • Phishing emails or messages aren’t always from strangers. Sometimes they’re sent from the compromised accounts of friends, coworkers, or other contacts.

  1. Lapsus$ Hackers Stole T-Mobile’s Source Code and Systems Data
  2. Telecom giant behind routing SMS discloses 5-year-long data breach
  3. Bandwidth.com is the latest victim of nonstop DDoS attacks against VoIP
  4. Hacker extracts customer data from Canadian Telecom Firm after rebuttal
  5. Croatian Police arrests minor over A1 Telecom data breach & ransom demand

Related Posts