Twilio, a San Francisco-based digital communications company, has confirmed that hackers tricked members of its staff into sharing their login credentials. The attackers sent SMS messages to employees saying a change had been made to their work schedules and asking them to reset their passwords. The official-looking text messages included references to “Twilio,” “SSO (single sign-on),” and Okta, the name of Twilio’s user authentication service. The link included in the SMS messages mimicked a Twilio sign-on page where attackers collected the information input by employees.
While the Twilio customer support team has reached out to impacted organizations, Fortalice is advising our clients to reach out directly to the company to verify if your organization’s information has been compromised.
In the days following the disclosure by Twilio, Cloudflare revealed the content delivery network company had been targeted in a similar manner. In Cloudfare’s case, however, the company’s use of hardware-based multi-factor authentication (MFA) keys prevented attackers from accessing its internal network.
The Twilio and Cloudfare incidents are examples of smishing attacks, which are social engineering attacks performed via SMS or text messages. The text messages will contain links to webpages, email addresses, phone numbers, or other links designed to lure potential victims into clicking on the link. The Twilio breach included SMS messages with employee scheduling information to increase the likelihood the employee would click the link.
The strategies below, provided by the Cybersecurity and Infrastructure Security Agency (CISA), outline strategies to protect yourself and your organization from smishing attacks:
We value you as customers, and we understand incidents like these can be very unsettling. We are here to help. Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions or assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.
Fortalice Solutions has partnered as a Data Privacy Champion. With the goal of increased awareness about online privacy among individuals and organizations, one goal of Data Privacy Week is to help organizations understand why it is important that they respect the data of their users, employees and suppliers.
T-Mobile announced on January 19 that it was reviewing a November 2022 data breach, potentially impacting 37 million accounts through one of its APIs. This advisory is intended to help our clients understand the urgent need to understand and review their API security, while also summarizing recent T-Mobile breaches.