Twilio Breach Compromised Authy Two-Factor Accounts of Some Users
Reading Time: 3 minutes

The recent Twilio breach also compromised Authy’s two-factor authentication (2FA) service. The sophisticated phishing attack carried out by the threat actors managed to gain access to the accounts of 93 individual Authy users.

According to Twilio, the threat actors managed to gain unauthorized access leading them to register additional devices to these affected accounts. The company has identified and removed the illegitimately added devices from the impacted accounts.

The second layer of security is provided to Twilio users via an additional security layer provided by Authy, a company acquired by Twilio in February 2015. The additional security layer prevents account takeover attacks, nearly 75 million users are registered with it. 

According to Twilio, an investigation conducted on August 24, 2022, suggested around 163 affected customers, up from 125 reported on August 10, and user accounts reported being hacked for a limited period of time.

A hacking group called 0ktapus by Group-IB is associated with a sprawling campaign affecting 136 companies which include Klaviyo, MailChimp, and an unsuccessful attack against Cloudflare that was thwarted by the company’s use of hardware security tokens.

The companies targeted belonged to the technology, telecommunications, and cryptocurrency sectors. The attacks deployed a phishing kit to capture usernames, passwords, and one-time passwords (OTPs) via rogue landing pages. This enabled us to mimic the Okta authentication pages of the respective organizations.

The data collected was forwarded to a Telegram account controlled by the cybercriminals in real-time, This was followed by the threat actor pivoting and targeting other services to a so-called supply chain attack aimed at Signal and Okta, effectively widening the scope and scale of the intrusions.

In all, the phishing expedition is believed to have netted the threat actor at least 9,931 user credentials and 5,441 multi-factor authentication codes.

Okta, for its part, confirmed the credential theft had a ripple effect, resulting in the unauthorized access of a small number of mobile phone numbers and associated SMS messages containing OTPs through Twilio’s administrative console.

According to Okta the OTPs have a five-minute validity period, and the incident involved the attacker directly searching for 38 unique phone numbers on the console. With most of them belonging to one single entity – with the goal of expanding their access.

Okta further explained, “The threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for one-time passwords sent in those challenges.” Further its analysis of the incident logs “uncovered an event in which the threat actor successfully tested this technique against a single account unrelated to the primary target.”

In the case of Cloudflare, the identity and access management (IAM) provider pointed out it’s aware of several cases where the attacker sent out a blast of SMS messages targeting employees and their family members.

Okta added, “The threat actor likely harvests mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations.”

Food delivery service DoorDash said it detected “unusual and suspicious activity from a third-party vendor’s computer network.” The company disabled the vendor’s access to its system to contain the breach.

The loophole in the security-enabled attacker to access names, email addresses, delivery addresses, and phone numbers associated with a “small percentage of individuals.” In select cases, basic order information and partial payment card information were also accessed.

Affected users were directly notified by DoorDash, and mentioned the unauthorized party also managed to gain delivery drivers’ (aka Dashers) names and phone numbers or email addresses but emphasized that passwords, bank account numbers, and Social Security numbers were not accessed.

The company did not reveal additional information on who the third-party vendor is. While talking with TechCrunch the company stated the breach is linked to the 0ktapus phishing campaign.

Related Articles:
Elon Musk Wants Twitter DMs to be End-to-End Encrypted like Signal
Interpol Says We Can’t Arrest Our Way out of Cybercrime
CERT-In Gives 60 days to Indian Tech Companies to hit 6-hour deadline