Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Twilio Hacked by Phishing Campaign Targeting Internet Companies (techcrunch.com) 10

Posted by msmash from the security-woes dept.
Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. From a report: The San Francisco-based company, which allows users to build voice and SMS capabilities -- such as two-factor authentication (2FA) -- into applications, said in a blog post published Monday that it became aware that someone gained "unauthorized access" to information related to some Twilio customer accounts on August 4. Twilio has more than 150,000 customers, including Facebook and Uber. According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company's internal systems. The attack used SMS phishing messages that purported to come from Twilio's IT department, suggesting that the employees' password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls.
This discussion has been archived. No new comments can be posted.

Twilio Hacked by Phishing Campaign Targeting Internet Companies More

Twilio Hacked by Phishing Campaign Targeting Internet Companies

Comments Filter:

  • It doesn't seem like it's getting any better for twitter lately. I guess nobody is going to miss anything if twitter and facebook while at it fade out and eventually disappear.

  • How to safeguard against this (Score:3)

    by Todd Knarr ( 15451 ) on Monday August 08, 2022 @11:23AM (#62771884) Homepage

    First rule: do not trust any URL provided to you in a message like this. Your employer will have already provided you with the correct URLs to handle things like this. Ignore any URL provided in the message and go to the URL your employer gave you for password resets, scheduling or whatever. If you aren't sure where to go, contact your employer's IT department or your manager and talk to them directly about it. If there's no indication of an actual problem, report the message as a phishing attempt.

    If your employer uses 2FA and you receive messages about needing to enter a 2FA code to confirm a password reset or account recovery and you don't remember initiating one, do not respond to the message and do report the attempt to IT security.

    • Re: (Score:1)

      by esev ( 77914 )

      Another way is to use a 2FA solution that has built-in protection against entering your credentials into the wrong site.

      • In this case you would be entering them into the right site. The attackers are trying to abuse the standard account-recovery process, betting on some people being careless enough to respond to any prompt for 2FA authentication that appears even if they didn't personally initiate anything that should trigger one. Unfortunately some applications (I'm looking at you, Outlook) train people to do just that by popping up requests for authentication without any apparent connection to the application expecting user

  • Luckily it's not an issue (Score:3)

    by Murdoch5 ( 1563847 ) on Monday August 08, 2022 @01:12PM (#62772252) Homepage
    Since IT would only ever send identity validated emails, with PGP signing / encryption, the users who received the messages knew they were legit! If you're not using identity validation with email, then don't even bother getting upset when your users are scammed, because you didn't care enough to put in the bare minimum effort.

    Users received emails that appeared legit? Okay, but if the digital signature on the those emails didn't match the cert in the key ring, which is changed every 90 days, then why does it matter? People have to stop assuming "Email is secure because of TLS.", which is an argument, or variant of an argument I hear all the time, from everyone, in every position, and with every level of technical competence!

    I'm still blown away by how often I hear "education, education, education will protect your organization.", and then find out the "education" is just "don't trust email", instead of, "Secure, Encrypt, Validate, and never feel silly for calling the person to Verify the email!". If emails were sent with signing and encryption active by default, 99.9999% (or some silly number), of attacks would be stopped before they start!

    Before anyone says something like: "Okay but X doesn't support PGP", we need to start forcing it! The single biggest security hole, in virtually every company, is email. Until we start taking email seriously, we have no right to be surprised or shocked when it's exploited.

  • The article doesn't say, but was Twilio using TOPT codes? This is a known weakness with TOTP codes.
    https://en.wikipedia.org/wiki/... [wikipedia.org]

    Not every user is careful about checking they're on the correct site before entering their credentials. And I doubt any amount of education will solve this. Probably shouldn't be using these TOPT-based methods in environments like Twilio. There are other 2FA solutions that avoid this problem.

Slashdot Top Deals

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Close