The number of companies caught up in the Twilio hack keeps growing

There's more to come from this month's security provider hack. Three new companies, Authy, password manager LastPass, and food delivery service DoorDash, said recently that they were hacked because of the Twilio compromise.

The three companies join authentication service Okta and secure messenger provider Signal in the dubious club of Twilio customers known to be breached in follow-on attacks that leveraged the data obtained by the intruders. In all, security firm Group-IB said on Thursday, at least 136 companies were similarly hacked, so it's likely many more victims will be announced in the coming days and weeks.

Uncommonly resourceful

The compromises of Authy and LastPass are concerning. 75 million users have Authy's two-factorAuthentication token. The only thing preventing the takeover of more accounts is the passwords the threat actor has already obtained. The threat actor was able to log in to only 93 individual accounts and enroll new devices that could receive one-time passwords, according to Authy. It could be very bad if those accounts are owned by someone else. Unauthorized devices have been removed from those accounts.

The threat actor gained unauthorized access through a single compromised developer account to portions of the password manager's development environment, according to LastPass. The phishers took some LastPass technical information from there. LastPass said that the customer's personal information wasn't affected. The LastPass data that is known to be obtained isn't particularly sensitive, but a major password management provider has a lot of data to store.


A number of customers' names, email addresses, delivery addresses, phone numbers, and partial payment card numbers were stolen by the same threat actor. The DoorDash contractors' phone numbers and email addresses were obtained by the threat actor.

As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision. The threat actors had private phone numbers of employees, more than 169 counterfeit domains mimicking Okta and other security providers, and the ability to bypass 2FA protections that used one-time passwords.

The threat actor's ability to remain undetected since March demonstrates its skill and resourcefulness. It's not uncommon for companies to include information that was compromised in their disclosures after a breach is announced. If more victims here do the same, it will be no surprise.

There is a lesson to be learned from this mess. The threat actors were able to circumvent this last form of defense against account takeovers by using one-time passwords.

The company that did not fall victim was Cloudflare. Physical keys such as Yubikeys can't be phished and that's why Cloudflare employees relied on 2FA. Unless physical key-based 2FA is a staple of their digital hygiene, companies should not be taking security seriously.