Total loss estimated at $35,000,000.

The attack was part of a coordinated campaign dubbed “0ktapus” (also tracked as “Scatter Swine”) by Group-IB researchers. The campaign ultimately compromised more than 130 organizations by phishing Okta single-sign-on credentials and MFA codes, then using those credentials to pivot into downstream targets. Across the full 0ktapus campaign, attackers harvested approximately 9,931 user credentials and 5,441 MFA codes, all exfiltrated to a Telegram-based command channel.

Twilio disclosed that 209 customer accounts and 93 Authy end-user accounts were directly compromised. The downstream impact spread quickly:

• Okta: Twilio’s access to its customer support console allowed attackers to access phone numbers and OTPs belonging to Okta customers. Okta later disclosed it was among the 163 Twilio customers whose data was exposed. Okta attributed the same threat actor to a separate campaign it called “Scatter Swine.”

• Signal: Twilio provided phone-number verification (SMS OTP delivery) for Signal. During the window of unauthorized access, attackers could see Signal users’ phone numbers and potentially redirect SMS verification codes. Approximately 1,900 Signal user phone numbers were exposed (covered in a separate record).

• Authy: Twilio’s two-factor authentication app Authy had 93 end-user accounts accessed, with attackers able to register additional devices to those accounts and intercept future OTP codes.

• DoorDash: Attackers used credentials obtained via a Twilio-connected vendor to access DoorDash’s internal systems, exposing names, email addresses, delivery addresses, phone numbers, partial payment card data, and order history for a subset of customers and delivery workers.

• LastPass: LastPass confirmed it detected unusual activity originating from a third-party vendor (later confirmed to be Twilio-connected infrastructure) that accessed its developer environment. While no customer vault data was taken in this initial August event, it was the first intrusion in a two-stage attack that ultimately led to the major LastPass vault-data theft in November 2022.

The 0ktapus campaign demonstrated how compromising a single telephony/identity infrastructure provider could cascade across dozens of high-value downstream organizations simultaneously. Cloudflare also received the same SMS phishing messages but avoided compromise because it had deployed hardware FIDO2 security keys for all employee authentication, making phished passwords and OTPs useless alone.

The malware payload, dubbed Moserpass by CSIS Security Group (which discovered the attack), collected and exfiltrated a broad set of sensitive data to attacker-controlled servers: computer name, username, domain name, current process name and ID, as well as all credential fields stored in Passwordstate vaults — title, username, description, notes, URL, and plaintext password. The harvested credentials were transmitted to a hardcoded C2 endpoint using HTTP POST requests.

Passwordstate is used by over 370,000 security and IT professionals at approximately 29,000 organizations worldwide, spanning government, defense, finance, aerospace, retail, automotive, healthcare, legal, and media sectors. Click Studios issued an emergency advisory on April 24 urging all customers who had performed an In-Place Upgrade to immediately reset every password stored in the vault. The company published a hotfix on April 24 and removed the compromised upgrade mechanism entirely in a longer-term remediation released August 2, 2021.

The attack bore structural similarities to SolarWinds SUNBURST: legitimate software update infrastructure was weaponized to reach deeply embedded enterprise users, and the payload was designed to harvest the most sensitive possible data — stored credentials — rather than deliver ransomware or destructive malware. Attribution was not publicly confirmed. Customers complained for months about insufficient transparency, as Click Studios declined to publicly disclose how many customers had been impacted or which specific organizations had received the malicious update.

The attackers modified the Bash Uploader to append a malicious one-liner: a curl command that silently exfiltrated all CI/CD environment variables — including tokens, API keys, AWS keys, and any secret stored in the CI environment — to an attacker-controlled server (35.85.59[.]168). Because the Bash Uploader was executed inside thousands of CI pipelines on every code push, the attackers received a continuous stream of credentials across a wide range of organizations throughout the 2.5-month window.

The attack was structurally similar to the SolarWinds compromise: a trusted tool inserted into developers’ build pipelines became a universal collection mechanism. Codecov’s post-mortem confirmed periodic unauthorized alterations to the script occurred across the window. The FBI and CISA investigated the incident.

Confirmed victims who publicly disclosed impact included: Rapid7 (source code repository access and a small number of internal credentials from their MDR tooling CI server); Twilio (GitHub repository credentials accessed); Monday.com (source code accessed via compromised tokens); Mercari (source code and internal credentials); HashiCorp (GPG signing key used for HashiCorp releases exposed, leading to key rotation); Confluent (source code exposed). Hundreds of additional organizations were reported affected but did not publicly disclose. The attackers appeared to prioritize targets with access to further high-value infrastructure rather than mass exploitation.

Codecov rotated all credentials, replaced the compromised Bash Uploader, and notified affected customers beginning April 15, 2021. The incident prompted widespread calls to remove curl-pipe-to-bash patterns from CI pipelines and to use integrity-verified, pinned script downloads.

The unprotected cluster consisted of ten data collections totalling more than 350 million records. The largest single collection held 275 million records containing caller names, phone numbers, and caller locations. A separate collection contained over two million voicemail records, of which approximately 200,000 had been transcribed into text — these transcripts included highly sensitive content such as discussions of financial loans, medical prescriptions, and personal matters. Because Broadvoice offers a unified communications platform with voicemail-to-text transcription services, these audio-derived records carried particularly rich personal detail.

The exposed data included: caller and recipient names, phone numbers, geographic locations, caller device identifiers, call metadata, and transcribed voicemail content referencing health information and financial matters. The presence of health-related voicemail transcripts raised HIPAA concerns, as some of Broadvoice’s business customers operate in regulated healthcare-adjacent sectors.

This incident is classified as an inadvertent exposure rather than an active intrusion. No CVEs are applicable — the root cause was a misconfiguration of the Elasticsearch cluster, which lacked any access controls or authentication. This is a recurring pattern across cloud-hosted NoSQL databases (Elasticsearch, MongoDB, CouchDB) where default open configurations are deployed without hardening.

Because Broadvoice provides communications infrastructure to businesses rather than directly to consumers, the downstream impact extends across the entire customer base of those businesses — meaning the true number of individuals whose data was exposed is difficult to quantify precisely. The incident drew significant attention due to the voicemail transcript exposure, which went well beyond typical metadata breaches. Broadvoice did not publicly disclose how many individual customers or end-users were ultimately affected, nor whether it notified downstream business clients or their end users.

Data exposed included Aadhaar card numbers and scanned images, Permanent Account Number (PAN) card data, biometric details, caste and religion certificates, residential addresses, professional degree certificates, user photographs, UPI IDs, and bank account details. The breadth of exposure was particularly severe because BHIM is deeply integrated with India’s national digital identity infrastructure; compromised Aadhaar numbers combined with financial identifiers create a high-risk vector for identity fraud and targeted phishing.

The National Payments Corporation of India (NPCI), which operates BHIM, initially denied any compromise at the app level, stating the breach was not within BHIM’s own systems. This was technically accurate — the data sat in CSC’s infrastructure rather than NPCI’s — but critics argued the distinction did little to protect affected users. India’s Computer Emergency Response Team (CERT-In) was notified twice by vpnMentor before the bucket was eventually secured.

The incident illustrates a recurring pattern in government-linked digital payment ecosystems: national-scale identity data is funneled through third-party contractor portals that may not be subject to the same security oversight as the core platform. No CVE applied as the root cause was a configuration failure rather than a software vulnerability. The breach prompted calls for mandatory cloud security audits of all entities handling Aadhaar-linked data. No threat actor was identified; the data appears to have been passively exposed rather than actively exfiltrated, though it is unknown whether malicious parties downloaded data before the bucket was secured. No customer notification programme was publicly announced by CSC or NPCI.

Although Amazon S3 buckets default to private access restricted to the account owner, the salesperson failed to follow AWS best practices, leaving the bucket publicly readable. The exposure was discovered before any known malicious actor accessed the data, and UpGuard reported it to AWS, which secured the bucket.

The contents of the bucket included spreadsheets documenting the configurations of approximately 31,000 GoDaddy systems hosted on AWS infrastructure. The spreadsheet columns covered hostname, operating system, workload type, AWS region, memory, CPU specifications, and related technical details across 41 distinct fields per system entry. Additionally, the files contained detailed AWS pricing information, including the specific discounts and rates GoDaddy had negotiated — commercially sensitive data that could provide competitors with a negotiating advantage in their own AWS contract discussions.

While no customer personal data or credentials were exposed, the configuration map represented a detailed blueprint of GoDaddy’s cloud infrastructure. An attacker who obtained this data could have used it to select high-value targets based on workload type, probable data classifications, system role, region, and scale — substantially reducing the reconnaissance effort required for a targeted intrusion.

The incident was notable because the misconfiguration originated with an AWS employee acting in a sales capacity, not with GoDaddy’s own IT team. It illustrated how cloud vendor relationships and pre-sales activities can inadvertently create exposure points entirely outside the customer’s visibility or control. GoDaddy was not directly responsible for the misconfiguration but bore the reputational and competitive risk from the disclosure.

The exposed records contained highly sensitive guest and payment information: full names, phone numbers, email addresses, national ID numbers, full credit card numbers (including cardholder names, CVV codes, and expiration dates), reservation numbers, check-in and check-out dates, nightly room rates, number of guests, and special requests. The S3 bucket was still live and actively receiving new records at the time of discovery, with over 180,000 records uploaded in August 2020 alone.

The breach violated PCI DSS (Payment Card Industry Data Security Standard) requirements, which prohibit storing unencrypted CVV codes and mandate strict controls over full card numbers. The presence of full card data including CVVs means the exposed records could be used directly for card-not-present fraud without further processing.

Website Planet contacted AWS directly to expedite resolution; the bucket was secured the following day. Prestige Software serves as a channel manager — a middleware platform that synchronizes hotel inventory and reservations across multiple OTA (Online Travel Agency) channels. This architectural role means a single misconfiguration at Prestige cascaded exposure across guests of numerous hotel brands and OTA partners who had no visibility into the vendor’s storage practices.

The incident is classified as an inadvertent data exposure rather than an active intrusion. No CVEs apply — the root cause was a failure to apply access controls to an S3 bucket. The breach affected an estimated millions of hotel guests worldwide across multiple hotel brands and booking platforms, though exact victim counts were not publicly disclosed by Prestige Software.