Credential theft
β Supply Chain
TechCrunch / The Register / Group-IB (0ktapus research)
Primary Source βIncident Details
Twilio employees received smishing SMS impersonating IT dept claiming password expiry. Employees entered credentials on fake Twilio login page with real-time MFA relay bypassing TOTP. 209 Twilio customers and 93 Authy users affected. Part of larger ‘0ktapus’ campaign hitting 130+ organizations including Cloudflare, DoorDash, Signal (via Twilio). Attackers had sophisticated employee phone-to-name matching. Also revealed Twilio was breached earlier in June 2022 via same method.
Technical Details
- Initial Attack Vector
- CWE-1021: Improper Restriction of Rendered UI Layers (SMS phishing / smishing with real-time OTP relay to fake login page)
- Vendor / Product
- Twilio Communications Platform
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2022-06-01 Breach occurred
- 2022-08-07 Publicly disclosed
- 2022-08-11 Customers notified