Twilio reveals that a new breach from a June 2022 security attack by the same culprit from the August hack has accessed customer information.
The cloud company says that the security incident on June 29 used a social engineering trick that uses voice phishing to get an employee to give away their credentials, Bleeping Computer says.
The Large-scale SMiShing Campaign Affects Hundreds Of Customers
With the stolen credentials from the Twilio employee, the hackers were able to access customers' contact information, but only for a limited number of them.
While the cyber criminals were identified within 12 hours, 209 customers and 93 Authy end users were impacted by the earlier attacks caused by Scatter Swine or Oktapus.
However, an investigation by the cloud service provider found no evidence that customers' console accounts, API keys, and authentication keys have also been compromised.
The attacks did not stop in June, but on August 9, when the last observed activity in Twilio's system was observed after hackers gained access to the company's database.
After this, Twilio claims that the August incident was possible because the hackers used employee credentials to access its networks gained through SMS phishing.
Once the hackers were in the company's network, they acquired customers and users' data through administrative portals and accessed Authy 2FA accounts and codes.
According to Bleeping Computer, the data breach, which also let the threat actors register their own devices to get temporary tokens, is part of an extensive campaign.
This campaign by Scatter Swine targeted at least 130 organizations, including MailChimp, Klaviyo, and Cloudflare, which says that their employees were also victims of the same SMiShing attack.
As a result of both breaches that happened in June and August, Twilio has reset the credentials of the employee user accounts.
Read More: Twilio Confirms 125 Customers Have Been Affected by Data Breach - Have Passwords Been Stolen?
Twilio Is Making Eradication And Remediation Efforts After The Attack
According to Twilio's incident report, upon discovering the breach that was done through an unauthorized access to the company's systems, they are now taking actions to address it.
The cloud company is now making sure that they have rid of the threat actor's access to their systems by revoking all active sessions connected to the Okta-integrated apps.
Additionally, they are blocking all of the things associated with the compromise, and are taking down two fake Twilio domains, Twilio reports.
Furthermore, Twilio has put in place a number of security measures which includes implementing stronger two-factor precautions and distributing FIDO2 tokens to employees.
They are also implementing additional layers of control in their VPN, and are conducting more mandatory security training for all employees based on social engineering attack techniques.
Moreover, the company has already reached out to their customers to express regret about the situation, and to assure them that the company is making significant enhancements to their security.
With this, Twilio commits itself to doing better by making long term investments to continue to earn customer trust back for the cloud company.