Communication tool provider Twilio has revealed that the same malicious actors responsible for a July breach at the firm also managed to compromise an employee a month prior, exposing customer information.
The revelation was buried in a lengthy incident report updated and concluded yesterday.
The report focuses mainly on the July–August incident in which attackers sent hundreds of “smishing” text messages to the mobile phones of current and former Twilio employees.
Posing as Twilio or other IT administrators, they tricked some recipients into clicking on password reset links leading to fake Okta login pages for Twilio.
Once harvested, these credentials were used to access internal Twilio administrative tools and apps and, in turn, customer information.
However, the same actors were also responsible for another phishing attempt, this time carried out over the phone, the report revealed.
“Our investigation also led us to conclude that the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022. In the June incident, a Twilio employee was socially engineered through voice phishing (or ‘vishing’) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers,” the notice read.
“The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June incident were notified on July 2, 2022.”
A total of 209 customers and 93 Authy end users were impacted by the incidents, according to Twilio.
The attacks were traced by researchers to a wider campaign by threat actor “0ktapus” which used similar phishing techniques against employees at other organizations including Cloudflare.
The incident highlights both the persistent threat of social engineering to corporate end users and the increasing focus threat actors are placing on compromising strategic technology providers further up the supply chain.