Twilio breach: exposed user MFA passwords, 93 user accounts accessed

Twilio breach led to access to other details and even two-way or one-time passwords

Twilio console breach lead to Okta OTP access

Twilio became a victim of the attack earlier this month and threat actors during the incident managed to gain access to the 93 accounts of individuals. Users of the Authy two-factor authentication service users got affected by the security breach.^[1] The company confirmed that the unauthorized access made it possible for the adversary to register additional devices to these compromised accounts.

Those illegitimate devices added to random impacted accounts were later found and removed, but there are issues stemming from the incident.^[2] The breach and hacking campaign was held by the attacker named Oktapus or Scatter Swine and is more significant than it might seem.

The security breach is the phishing attack and shows that such attacks can not only provide attackers valuable access to the targeted networks, but they can even start off the supply chain attacks^[3] when access to one company system is provided and can further allow the access to the clients and their systems, information, devices.

Over the past year, threat actors have deployed various phishing campaign methods to target technology companies. Many of these campaigns are linked with the same name as the Scatter Swine. These aim to nab Okta identity credentials and authentication passwords or codes.

Started with the SMS

The customer engagement platform disclosed that the sophisticated threat actor gained access via the SMS-based phishing^[4] campaign that was aimed at the staff with the purpose of getting information on the number of accounts. The attack was successful in stealing employee credentials.

This broad based attack against our employee base succeeded in fooling some employees into providing their credentials

Attackers used those stolen credentials to access internal systems where certain customer data got obtained. As of right now, investigators found 163 affected customers. At least 125 of them got their accounts hacked for a limited period of time. This data was conducted back after the incident, on August 10th.^[5]

Accessing the Twilio console opens the way to other data

Twilio hackers used the access to the console and could see mobile phone numbers and one-time passwords delivered SMS from customers of Okta identity and access management company. Okta promised multiple forms of authentication for these services, and those include temporary codes sent via SMS through Twilio.

At the time of the initial hacking, one of the services Okta used for customers opting for SMS as an authentication factor was provided by Twilio. Later, Oktalearned about the hack and exposure of unspecified data relevant to their company and started to reroute SMS-based communications via a different provider.

Okta, later on, was able to determine that threat actors managed to access phone numbers and one-time password codes belonging to their customers. Officials note that the OTP code remains valid for no more than 5 minutes, so no further access to devices or accounts could have been gained.

The company also notes that the intruder searched for 38 phone numbers, and almost all of those were associated with one organization, so the particular network of the client is apparently a target. However, Okta's investigation shows that the threat actor did not use these mobile phones that might have neem accessed.