Twilio Fails Simple Test — Leaks Private Data via Phishing

Twilio (NYSE:TWLO) customer data has leaked—after a simple phishing attack on employees. The firm isn’t saying how many end-users are affected, but it could run into the millions.

CEO Jeff Lawson (pictured) has been uncharacteristically silent about the affair. He seems to be leaving it to his PR people to communicate—and they’re doing a piss-poor job of it.

Twilio PR is spinning it as a “sophisticated” attack. In today’s SB Blogwatch, we just point and laugh.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nancy Sinatska.

“Sophisticated” Sophistry

What’s the craic? Let’s turn to Carly Page—“Twilio hacked by phishing campaign”:

More than 150,000 corporate customers
Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. The San Francisco-based company, which allows users to build voice and SMS capabilities … into applications … became aware that someone gained “unauthorized access” … to some Twilio customer accounts on August 4.

The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired. … The same actor also set up phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider.

Twilio spokesperson Laurelle Remzi declined to say how many customers were affected or what data was accessed by the threat actors. … Twilio has more than 150,000 corporate customers, including Facebook and Uber.

Ouch. And how many end-users behind those 150,000 firms? Sergiu Gatlan loses count—“Twilio discloses data breach”:

Millions of users
​The SMS phishing messages baited Twilio’s employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed. … The company has not yet identified the attackers, but it’s working with law enforcement.

Twilio revoked the employee accounts compromised during the attack to block the attackers’ access … and has started notifying customers affected. … With more than 5,000 employees in 26 offices in 17 countries, Twillio provides programmable voice, text, chat, video, and email APIs used by over 10 million developers and 150,000 businesses to build customer engagement platforms. Twilio also acquired Authy in February 2015 … with millions of users worldwide.

It owns Authy? That’s ironic, notes kit_y:

Not a good look, especially [as] Authy [is] one of the best two factor authentication services.

As does notlukesky:

When you get hacked by the very same method that you tout as a security product that you sell (SMS 2FA).

Piling on, this Anonymous Coward blames the victims:

Multiple employees of a company that allows users to build … 2FA into applications fall for SMS phishing messages. Employees of that company, of all companies, should know better.

And Good Bot, Bad Bot isn’t impressed:

I use Authy … for 2FA. [I’ve received] no email but will change my password just in case. How do “IT staff” fall for this? #facepalm

What does Twilio have to say for itself? Here’s its “sophisticated” PR gobbledegook “Incident Report”:

Instituting betterments
We maintain a well-staffed security team using modern and sophisticated threat detection. [This was] a sophisticated social engineering attack. … Additionally, the threat actors seemed to have sophisticated abilities. … The threat actors are well-organized, sophisticated and methodical.

Twilio believes that the security of our customers’ data is of paramount importance. … Trust is paramount at Twilio, and … we sincerely apologize that this happened. … If you are not contacted by Twilio, then it means we have no evidence that your account was impacted.

We will of course perform an extensive post-mortem on this incident and begin instituting betterments.

Insti-whatnow? What should Twilio be doing? (Aside from teaching its PR flacks how to speak English, obvs.) Todd Knarr suggestifies utilizing educationalization, thuswise:

First rule: Do not trust any URL provided to you in a message like this. Your employer will have already provided you with the correct URLs to handle things like this. Ignore any URL provided in the message and go to the URL your employer gave you for password resets … or whatever. If you aren’t sure where to go, contact your employer’s IT department or your manager and talk to them directly about it. If there’s no indication of an actual problem, report the message as a phishing attempt.

If … you receive messages about needing to enter a 2FA code to confirm a password reset or account recovery and you don’t remember initiating one, do not respond to the message and do report the attempt to IT security.

Sounds like a lot of unnecessary words. bearjaws shares their experience:

All our new hires get an email from our “CEO” pretending they have to sign paperwork for their equity. It’s part of our onboarding now to warn them that if they join our LinkedIn they will get multiple phishing attempts from the “founders.” … They are real attacks that 100% happen as soon as they update their LinkedIn. They aren’t tests.

That’s far from unique. simkin’s seen similar “sophisticated” stuff:

A lot of my users have been getting very targeted phishes claiming to be from managers, along with sigs matching the sender’s actual titles, etc. [I] figured out it’s just harvested from LinkedIn. Hard to protect people when they self-publish everything needed to pretend to be them.

Meanwhile, londons_explore attempts to translate Twilio’s “no evidence that your account was impacted” PR-speak:

There were a bunch of ways employees could access the customer data unaudited, so we don’t have evidence of that. Rather than say “we don’t believe you were impacted in this attack,” we’re using weasel words to set your mind at rest, when we really have no idea.

And Finally:

Everything old is new again

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: John Phillips/Getty Images (cc:by; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi