An investigation into an August smishing attack on Twilio has turned up a connection to an earlier vishing attack. It appears that the culprit behind the August Twilio hack also managed to penetrate the company in June in a separate incident that exposed a much smaller amount of customer contact information.
Two Twilio hacks in three months linked to the same threat actor
The August Twilio hack stemmed from a campaign that peppered employees with SMS messages, eventually convincing one to visit a fraudulent login page. The investigation into this incident was recently concluded, and the company has found that the same attacker was responsible for a smaller breach in June. That earlier incident involved a different approach, however; a vishing attack (voice phishing) that was able to convince an employee of the company to give up their login credentials over the phone.
The June vishing attack window reportedly lasted for only about 12 hours and provided the attackers with access to a “limited” amount of customer information. Those that were impacted were notified in July, but the link to the August attack is new. The August Twilio hack was apparently launched shortly after customers were notified of the first attack, with the hacker changing their approach to pose as a member of the company’s IT staff and attempt to get employees to enter credentials into a fake Okta login portal…