Do you use Twilio?

Twilio is a cloud communications company and is the latest to fall victim to a data breach. The company recently disclosed that some of its customer data was accessed by unknown attackers who gained access to the system by stealing employee login credentials via an SMS phishing attack, known as 'Smishing,' for short.


Twilio's disclosure reads in part

"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data."

The smishing attack succeeded because the attackers were able to convince company employees that the SMS messages, they were receiving were coming from the company's own IT department.  The messages contained URLs containing the keywords "Twilio," "SSO" and "Okta" which are commonly used by the company.


Employee's and customer's data was breached

Unfortunately, if an employee tapped these links, they would not be taken to company resources but rather to a page that had been cloned to appear as a legitimate company sign in page.

Here, they received a message that their password had expired, and the employee was asked to enter their information as part of the process of changing it.

Naturally, this action did not change the employee's password, but it did hand it over to the hackers waiting on the other end.

Per a Twilio spokesman:

"The attackers were only able to access data belonging to a limited number of customers, and the company is currently in the process of reaching out to those who were impacted."


My perspective

If you have a Twilio account and are not contacted, your data and your account should be fine.  If you are contacted, Twilio will provide you with additional information about dealing with the breach.


As Colonel Kilgore says: I love the smell of napalm in the morning.


By Denis Wilson

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.

For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter

I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.


Contact me if you would like me to speak to your association