Twilio, which offers digital authentication solutions, said some of its employees and customers were hacked as part of a scheme in which outsiders duped employees into handing over their passwords.
San Francisco-based Twilio represents a ripe target for hackers, because access to its service could enable hackers to access Twilio clients, or the particular accounts. The company said it became aware of the incident on Aug. 4.
“This broad-based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said in a blog post on Sunday. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
Twilio said it hasn’t identified the specific hackers responsible for the breach, and that it has hired a computer forensics firm to assist in remediation of the breach. Twilio said that other companies were also subject to attacks, though it didn’t identify any by name.
Attackers targeted Twilio employees with phony text messages stating that the staffers’ password credentials had expired. The texts included links to websites controlled by hackers that appeared to be legitimate. When employees entered their username and password into the website, hackers harvested that information.
In the past three days, hackers have been targeting companies that provide two-factor authentication services in an attempt to steal cryptocurrency, compromise telecommunications companies and breach customer relationship management portals, according to three computer security professionals tracking the scheme. The alleged hackers have a particular interest in SIM swapping, the people said, referring to a criminal tactic where hackers compromise telecommunications providers to gain control of a target’s phone number.
It’s not yet known if the same group of hackers are responsible for the breach of Twilio.
Security researchers noticed new websites being registered that bore similar names to the companies being targeted, including major telecommunication companies, cryptocurrency exchanges, and computer security companies. The websites were used to host fake pages designed to look like legitimate employee login portals. The researchers were able to link the fake domains because they were registered around similar times and had similar technical attributes.
In March, the two-factor authentication provider Okta was compromised by a group of hackers dubbed Lapsus$. The hacking group embarked on a spree of hacks, breaching major firms like Microsoft and Nvidia. Bloomberg News later reported that the alleged mastermind behind the group was a teenager in England, who was later charged with computer crimes.