Twilio ‘smishing’ attack compromised around 125 corporate clients, including Signal

Smishing, baby. Communications tool giant Twilio, which provides text and phone services to over 250,000 corporate customers ranging from Facebook to the American Red Cross, suffered a serious breach of its systems after unknown parties bombarded its employees with sham password reset requests via text.

According to Twilio’s incident report, the firm was compromised by what’s known as a “smishing” (SMS phishing) attack on current and former employees—a method that is increasingly being used to target large businesses, as employer oversight of mobile devices is often lax.

In Twilio’s case, the bogus text messages supposedly came from the company’s IT department and informed the workers their company passwords had expired or their schedule had changed. Included in the texts was a URL (including words such as “Twilio,” “Okta,” and “SSO”) that superficially resembled Twilio’s actual login page. Instead, the link led to an attacker-controlled server designed to steal employee credentials. Twilio wrote in the report that the hackers had some method of pairing staff’s identities and roles to their phone number.

“We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for a limited period of time, and we have notified all of them,” Twilio wrote in a status update to the original report on August 11. “There is no evidence that customer passwords, authentication tokens, or API keys were accessed without authorization.”

An expansive operation. Cloudflare, a content delivery network and DDoS mitigation company, disclosed this month that it was subject to a near-identical attack around the same time as Twilio. According to Cloudflare, the fake URL page asked users to enter their Cloudflare Okta usernames and passwords, as well as a time-based one-time password (TOTP) code, a form of two-factor authentication. Unknown to the users, the attackers planned to quickly enter the logins and passwords into Cloudflare’s actual system, prompting it to text real codes to the employees that could be collected via the fake page.

Fortunately, Cloudflare reported, just three employees clicked the link. No systems were actually accessed by the hackers, as the company relies on FIDO2-compliant physical security keys rather than TOTP.

Downstream consequences. According to TechCrunch, encrypted messaging app Signal disclosed this week that the Twilio breach had allowed hackers to access phone numbers and SMS verification codes for around 1,900 users—apparently seeking out three users in particular (one of whom being a Motherboard reporter). Signal said that the attacker proceeded to reregister one of those three accounts, which potentially could have allowed them to impersonate the original number.

That attack was apparently possible because Signal relies on Twilio to transmit its verification codes, and the hackers briefly had access to Twilio’s customer support system. This has troubling implications for any organization relying on SMS authentication to control access, as the third-party vendors that actually handle the requests are a potential weak point in the verification chain.

“What I find frightening goes beyond the implications for Signal. Any platform or service can be manipulated to hand over verification credentials to an attacker,” Freedom of the Press Foundation’s CISO and digital security director Harlo Holmes told Motherboard. “And despite the protections various services put in place to protect our accounts once we’ve been verified, it is at this point when these accounts are the most vulnerable to takeover.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.