163 of the company's customer organizations were affected by the breach that occurred at the beginning of August. Out of Twilio's 270,000 clients, 0.06 percent might seem insignificant, but the company's particular role in the digitalecosystem means that that fractional slice of victims had an outsized value and influence. Signal, Authy, and Okta are all Twilio customers that were victims of the breach.
Companies can automate call and texting with the help of Twilio. A barber could use the system to remind customers about haircuts and have them text back to confirm or cancel. It can be the platform through which organizations manage their text messaging systems. It's been known for a long time that SMS is an unsafe way to receive these codes, but it's still better than nothing. Authy uses some of the services of Twilio.
Phishing attacks can provide attackers valuable access into a target network, but they can also kick off supply chain attacks in which access to one company is obtained.
One security engineer who asked not to be named said that the hack will go down as one of the more sophisticated long-form hacks in history. There was a patient hack that was broad. Pwn the multi-factor security.
Attackers compromised Twilio as part of a massive, yet tailored phishing campaign against more than 130 organizations. The texts often claimed to come from a company's IT department or logistics team and urged recipients to click a link or log in to review a scheduling change. The malicious URLs contained words like "Twilio," "Okta," or "SSO" to make them appear more legitimate, according to Twilio. The company said at the beginning of August that it wasn't compromised because of its limits on employee access and use of physical login keys.
Crane Hassold is the director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. As text message alert become more common within organizations, it is going to make these types of phish messages more successful. I get a lot of text messages from companies I do business with, and that wasn't the case a year ago.