Cyber Incident Victim: Twilio
Date:
Jun 2022
Location:
United States of America
Summary
A cloud communications company experienced a social engineering attack where employees received SMS messages impersonating its IT department, leading to credential theft. Attackers used these stolen credentials to gain unauthorized access to internal systems and certain customer data. The company detected the intrusion, revoked compromised credentials, and launched an investigation with external cybersecurity experts. Impacted customers were notified, and measures were taken to block malicious messages in collaboration with a telecommunications provider. The incident highlighted risks associated with sophisticated phishing tactics targeting employee credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On June 29, 2022, Twilio detected unauthorized access to its systems following a sophisticated SMS-based social engineering campaign targeting employees. Attackers impersonated Twilio’s IT department via text messages directing employees to fraudulent login pages designed to harvest their credentials. Several employees submitted their credentials to these phishing sites, enabling threat actors to bypass Twilio’s authentication controls and gain access to limited internal systems. The attackers leveraged this access to extract data from a subset of Twilio’s customer accounts, though the company did not publicly specify the exact number of affected customers or the full scope of compromised information. Twilio’s security team identified anomalous activity during routine monitoring, triggering an immediate investigation to contain the breach and assess its impact.
Twilio revoked the compromised employee credentials, terminated the attackers’ access, and initiated forensic analysis with assistance from cybersecurity firm Mandiant. The investigation confirmed the attackers exploited stolen credentials to target specific customer accounts, primarily those using Authy two-factor authentication services. Twilio notified affected customers directly and collaborated with U.S. law enforcement agencies to investigate the threat actors. The company also implemented additional security measures, including stricter phishing-resistant multi-factor authentication (MFA) enforcement and enhanced employee training to recognize social engineering tactics. While Twilio confirmed no evidence of broader system compromise beyond the identified intrusion vector, the incident underscored persistent risks associated with credential-based attacks and supply chain vulnerabilities impacting third-party communications platforms.