Twilio has suffered a second attack, leading to the compromise of its former and current employee accounts and the loss of sensitive customer information. This text shares the details of the attack, how it happened, whether it is over, whether customers are safe, how Twilio is dealing with it, and what organizations could learn from the cyberattack.

Twilio, one of the most popular messaging giants in the US was hit by a data breach for a second time, compromising multiple employee and customer accounts. Twilio suffered a data breach in June by 0ktapus hackers, leading an innocent employee into a trap using social engineering tactics to dupe the employee with voice phishing. Twilio has released an incident report highlighting the details of the second 0ktapus social engineering attack using SMS phishing. Here is everything about the cyberattack on Twilio and how you can avoid such attacks.


Twilio’s Social Engineering Attack in a Glance

Twilio recognized an unauthorized actor in its systems on 4 August 2022. The threat actor carried out a broad attack against Twilio’s employees and duped some employees into providing their login credentials.

The threat actor then utilized the stolen credentials to gain access to the organization’s internal systems and compromise customer data. Twilio’s current and former employees received text messages from the threat actor, impersonating the organization’s IT department, falsely suggesting that the employee’s passwords had expired or there was a need for a change in the employee’s schedule, leading the innocent employees to a malicious URL (Uniform Resource Locator) controlled by the threat actor. The text messages that the employees received originated from US carrier networks.

The URLs used included genuine words such as “Twilio, SSO, and Okta” to make them appear authentic to the employees so they would be tricked into providing their data. The URLs led to a fake web login portal that matched Twilio’s sign-in page so employees would fill in their credentials without second thoughts. Here is a sample of an SMS phishing message from one of the victims.

(An SMS phishing message received by one of Twilio’s employees, Source: Twilio)



As you can see, the SMS phishing message used by the threat actors for the campaign imitates the short communications often sent within the organizational network and uses a link with the organization’s name.


Is the Attack on Twilio Over?

Twilio has communicated with other enterprises that suffered similar attacks and have coordinated its incident responses with the best possible approach. Twilio has been working with the US carrier networks to limit the threat actor’s malicious text-sending frenzy and aiding hosting providers to shut the accounts that posted the malicious URLs.

However, the threat actor has also been rotating carriers and using various hosting providers to continue the attack on Twilio. The threat actor is not an amateur and carries out such a broad social engineering campaign without much effort. Furthermore, the threat actor could also match employee names collected from various sources with contact numbers, hinting towards using automated technologies and a cunning mind.

Twilio has outlined that it has reason to believe that the attack is sophisticated and methodical, with well-organized threat actors orchestrating it. Twilio recognized the complex and advanced nature of the attack and has not identified the specific threat actors responsible for the social engineering attack leading to the network and data breach. Twilio has liaised with law enforcement to tackle the cyberattack challenging their most advanced cybersecurity defenses.


Twilio’s Incident Response: How is Twilio dealing with the 0ktapus Attack?

Twilio has been swift in its incident response, revoking all access to the compromised employee accounts after the discovery to mitigate the attack. Twilio also hired a forensics team to aid with the ongoing investigation.

Since the attack started as social engineering, Twilio has altered its security training and emphasizes social engineering tactics and employee education. Hence, the workforce is on high alert for such attacks in the future. Furthermore, Twilio has issued security advisories on the threat actors’ tactics since the beginning of the first attack and mandated its security awareness and security training programs.

The danger of the threat actor still looms over Twilio, so the organization is examining technical precautions even with the investigation, has notified all affected customers, and is communicating with each individual to provide details for remedying the attack.

Twilio also emphasized in its incident response report that trust is paramount at the organization and has apologized to its customers for failing to protect their data. Twilio added that even a well-staffed security team with the latest threat detection measures could not stop the threat actors. The organization will perform an extensive response and institute better systems. By keeping in mind the root causes of the attack, the organization will ensure that such attacks do not happen in the future.


Are Twilio Customers Safe?

Twilio revealed that similar attacks have been targeting various organizations and provided three details:

  •   0ktapus threat actors accessed the data of 125 Twilio customers.
  •   The data was only accessed for a limited time.
  •   The organization has not found evidence that the threat actors accessed API (Application Programming Interface) keys, authentication tokens, or customer account passwords.

Twilio has highlighted that it is only contacting the clientele whose data was affected. If you have not received any word from the organization, you can rest assured that the social engineering attack did not impact your account or data. Twilio is working round the clock to tackle the ongoing attack and will reveal the details publicly later. In the meantime, the organization will reach out to the affected customer if additional customer accounts are identified as compromised.


Key Points for Employee Social Engineering Awareness Training That Organizations Should Follow

Social engineering training can help strengthen the workforce against social engineering attacks that often lead to phishing, malware deployment, insider attacks, impersonation, and other cyberattacks. An effective social engineering awareness program should include the following:



  1. Employee Education: Educating employees about social engineering tactics such as baiting, scareware, pretexting, phishing, tailgating, whaling, and more.
  1. Emphasize Strict Guidelines: Provide strict guidelines to the workforce to be suspicious of unsolicited messages, protect sensitive information, and check email and message requests.
  1. Phishing Awareness: Providing phishing awareness training so employees can identify phishing emails and fake web pages. Furthermore, regular seminars on the latest attacks and new tactics can go a long way in ensuring a secure workplace.


Conclusion: What can Organizations Learn From The Attack on Twilio?

The attack on Twilio is a prime example where the organization invested in sophisticated and modern systems to ward off cyberattacks but was compromised due to an uneducated or poorly educated workforce.

The threat actors were able to dupe employees via SMS phishing messages and infiltrate organizational accounts to steal valuable data. Furthermore, the attack is so broad that the threat actors have been persistent within the system and could potentially compromise more accounts.

It is excellent for organizations to emphasize cybersecurity. Still, it is better to focus on a cybersecurity approach that starts at the unit level and incorporates adequate training and awareness for the workforce, executives, and the C-Suite. Since the social engineering attack campaign has targeted multiple organizations, it would be best to include social attack awareness in your security programs with the above guidelines in mind.