Incident Report: Employee and Customer Account Compromise

Summary:

In mid-2022, Twilio faced a multi-phase cyberattack involving smishing (SMS phishing) and vishing (voice phishing) targeting its employees, resulting in unauthorized access to customer data. The primary incident began in July 2022 when attackers sent fake password-reset links to Twilio staff via text messages, mimicking Okta login pages. Compromised employee credentials allowed attackers to infiltrate internal systems, accessing non-public customer and Authy user information. A separate June 2022 vishing attack also affected some customers’ contact details but was contained within hours.

Key Findings:

• Scope: 209 of Twilio’s ~270,000 customers had accounts accessed; 93 Authy users were impacted (out of 75M total). No customer account credentials, API keys, or authentication tokens were exposed.

• Tactics: Attackers used fake domains (e.g., twilio-okta.com) to harvest employee credentials and OTPs. Forensic analysis linked the attacks to a global cyber group (“0ktapus/Scatter Swine”) targeting tech firms via similar social engineering.

Response & Remediation:

• Immediate Actions: Reset compromised credentials, revoked sessions, blocked attack indicators, and took down fake domains.

• Long-Term Measures:

  • Strengthened security with FIDO2 tokens for employees, enhanced multi-factor authentication (MFA), and restricted administrative tool access.

  • Added layers of control in corporate networks, increased token refresh rates for Okta apps, and mandated employee training on social engineering threats.

Apology & Impact: Twilio apologized to affected customers, emphasizing remediation efforts and ongoing security investments. While no sensitive customer credentials were stolen, the breach highlighted vulnerabilities in phishing defenses. The company’s actions aim to rebuild trust through stricter protocols and proactive cybersecurity measures.

(Word count: 250)