Twilio Announces a String of New Security Breaches
August 26, 2022 | 4 minutes read
On August 8, 2022, San-Francisco based communications company Twilio announced that they had experienced a data breach. As stated on the company’s website, “Twilio is a single platform with flexible APIs for any channel, built-in intelligence, and global infrastructure to support you at scale, and can be used to create the exact solution you need to engage customers at every step of their journey.” For reference, some of the companies that utilize Twilio’s numerous products include the popular ridesharing service Lyft, the vacation rental company Airbnb, and the global streaming service Netflix, among a host of others. Likewise, Twilio confirmed that the personal information of up to 125 customers had been illegally accessed as a result of the breach. This breached data included payment details, IP and postal addresses, and even proof of identity.
What’s more, Twilio sustained a second security breach several weeks later on August 24, 2022, where the company’s two-factor authentication application Authy was compromised. As reported by online technology newspaper TechCrunch “Researchers this week linked the attack on Twilio and others to a wider phishing campaign by a hacking group dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations since March.” The article goes on to state that the hacking group in question was able to pilfer the personal information of 93 Authy users, which then enabled the hackers to generate login credentials for any accounts these users had access to.
Two-factor authentication
While the occurrence of data breaches in the midst of our current digital age has become an all but inevitable reality, many consumers rely on two-factor authentication services to safeguard them from such events in the first place. To this end, while two-factor authentication was once viewed as a strong deterrent to any hacking groups or malicious actors that were looking to steal the personal information of a given online user, cybercriminals are increasingly finding new ways to launch attacks against unsuspecting individuals. Moreover, as the recent hacking of Authy has shown, many of these cybercriminals do not operate on a small scale, and instead, attack a wide variety of businesses and organizations when looking to steal the personal data of consumers.
0ktapus
To this last point, the hacking group 0ktapus has been linked to hundreds of other similar attacks against businesses and organizations that operate around the world. What’s more, this hacking group has set a focus on stealing the login credentials of employees that work within a particular business or organization, in contrast to other cybercriminals that work to hack databases, or take advantage of vulnerabilities that may be present within an organization’s website or IT environment, in addition to many other nefarious activities. Furthermore, the hacking group has also targeted mobile operating systems and telecommunications devices, as these types of accounts will obviously grant these criminals various levels of personal information regarding consumers.
Social engineering
Despite the fact that the actions of hacking groups such as 0ktapus may come across as brazen and reckless to those that are unfamiliar with the world of hacking and cybercrime, the methods and techniques that these individuals used to run off with personal data were prime examples of social engineering attacks. As stated in the Oxford Dictionary, social engineering is defined as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” This being the case, the practice of social engineering is predicated on the manipulation of trust and emotions, as opposed to more brute force tactics that are utilized by other bad actors within the realm of cybercrime. As a result, employees like those that work for companies such as Twilio may still be subject to these kinds of attacks, despite the fact that the services they provide to the general public are designed to thwart social engineering attempts.
As 2021 saw the most cyberattacks that had ever occurred in the history of the world, the data breaches that companies such as Twilio have sustained in recent weeks will likely only continue to occur, as cybercriminals continue to develop new ways to plunder the data of consumers. For this reason, consumers and businesses alike must look to new methods when securing their personal data, whether this be in the form of data protection techniques such as redaction or encryption, or alternative methods, as the days of simply utilizing a password manager or two-factor authentication system to ensure that personal information remains confidential at all times is likely over.