Cyber Incident Victim: Twilio
Date:
Aug 2022
Location:
United States of America
Summary
A cloud communications company experienced a data breach when attackers compromised employee credentials through an SMS phishing campaign impersonating its IT department, using messages urging password updates with malicious links containing branded keywords. The threat actors leveraged stolen credentials to infiltrate internal systems, accessing limited customer account data before the company revoked compromised access, notified impacted customers, collaborated with carriers and hosting providers to disrupt malicious infrastructure, and engaged law enforcement in an ongoing investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 4, 2022, Twilio detected unauthorized access to internal systems following a targeted SMS phishing campaign against its employees. Attackers impersonated Twilio’s IT department, sending text messages that directed recipients to fraudulent login pages designed to mimic legitimate Twilio sign-in portals. These messages contained embedded URLs incorporating terms such as "Twilio," "Okta," and "SSO" to appear authentic and falsely claimed employees’ passwords had expired or were scheduled for imminent changes. Multiple employees provided their credentials after interacting with these links, enabling the attackers to compromise their accounts. Using stolen credentials, threat actors infiltrated Twilio’s internal infrastructure and accessed data associated with an undisclosed number of customer accounts. The company characterized the attack as a sophisticated social engineering operation but did not quantify how many employees fell victim to the scheme or specify the exact volume of compromised customer accounts.
Twilio initiated containment measures upon discovering the breach, collaborating with U.S. telecommunications carriers to disrupt the attackers’ SMS infrastructure and coordinating with hosting providers to deactivate malicious domains. The company revoked access privileges for compromised employee accounts to sever the attackers’ entry points into its systems. Affected customers received direct notifications, though Twilio declined to publicly disclose their identities or the categories of exposed data. Law enforcement agencies were engaged to support the ongoing investigation, which had not yet attributed the attack to a specific threat actor as of the initial disclosure. Twilio, which employs over 5,000 staff across 26 global offices and provides communication APIs to more than 150,000 businesses, emphasized the incident’s limited scope relative to its customer base but did not release further technical details regarding the compromised internal systems or the duration of unauthorized access.