The number of companies caught up in the Twilio hack keeps growing

Getty Images

The fallout from this month’s breach of safety supplier Twilio keeps coming. Three new companies—authentication service Authy, password supervisor LastPass, and meals supply service DoorDash—stated in latest days that the Twilio compromise led to them being hacked.

The three companies be a part of authentication service Okta and safe messenger supplier Signal in the doubtful membership of Twilio prospects identified to be breached in follow-on assaults that leveraged the knowledge obtained by the intruders. In all, safety agency Group-IB stated on Thursday, a minimum of 136 companies have been equally hacked, so it is probably many extra victims will likely be introduced in the coming days and weeks.

Uncommonly resourceful

The compromises of Authy and LastPass are the most regarding of the new revelations. Authy says it shops two-factor authentication tokens for 75 million customers. Given the passwords the risk actor has already obtained in earlier breaches, these tokens might have been the solely issues stopping the takeover of extra accounts. Authy, which Twilio owns, stated that the risk actor used its entry to log in to solely 93 particular person accounts and enroll new units that would obtain one-time passwords. Depending on who these accounts belong to, that could possibly be very unhealthy. Authy stated it has since eliminated unauthorized units from these accounts.

LastPass stated the similar risk actor used knowledge taken from Twilio to realize unauthorized entry by way of a single compromised developer account to parts of the password supervisor’s improvement atmosphere. From there, the phishers “took portions of source code and some proprietary LastPass technical information.” LastPass stated that grasp passwords, encrypted passwords and different knowledge saved in buyer accounts, and prospects’ private data weren’t affected. While the LastPass knowledge identified to be obtained is not particularly delicate, any breach involving a serious password administration supplier is severe, given the wealth of knowledge it shops.


DoorDash additionally stated that an undisclosed number of prospects had their names, e-mail addresses, supply addresses, telephone numbers, and partial cost card numbers stolen by the similar risk actor. The risk actor obtained names, telephone numbers, and e-mail addresses from an undisclosed number of DoorDash contractors.

As already reported, the preliminary phishing assault on Twilio was well-planned and executed with surgical precision. The risk actors had personal telephone numbers of workers, greater than 169 counterfeit domains mimicking Okta and different safety suppliers, and the skill to bypass 2FA protections that used one-time passwords.

The risk actor’s skill to leverage knowledge obtained in one breach to wage supply-chain assaults towards the victims’ prospects—and its skill to stay undetected since March—demonstrates its resourcefulness and talent. It’s not unusual for companies that announce breaches to replace their disclosures in the days or perhaps weeks following to incorporate extra data that was compromised. It will not be stunning if a number of victims right here do the similar.

If there is a lesson in this complete mess, it is that not all 2FA is equal. One-time passwords despatched by SMS or generated by authenticator apps are as phishable as passwords are, and that is what allowed the risk actors to bypass this final type of protection towards account takeovers.

One firm that was focused however did not fall sufferer was Cloudflare. The motive: Cloudflare workers relied on 2FA that used bodily keys similar to Yubikeys, which may’t be phished. Companies spouting the drained mantra that they take safety critically should not be taken critically until bodily key-based 2FA is a staple of their digital hygiene.


Please enter your comment!
Please enter your name here

Popular Posts

‘Big Tech never loses a legislative fight – and they just did’ as new bills pass

Policy advocates who've been pushing for new laws reining in Big Tech's energy have seen their hopes lifted and shattered a number of instances...

Bank of England says pension funds were hours from disaster before it intervened

Buses move within the City of London monetary district exterior the Royal Exchange close to the Bank of England on 2nd July 2021 in...

Suit Yourself: Everything You Need to Know About Hardware

When it comes to superhero archetypes, everybody has their favorites. Take your decide of the stretchy set between Plastic Man or Elongated Man. There...

French Writer Annie Ernaux Awarded Nobel Prize in Literature

STOCKHOLM (AP) — French creator Annie Ernaux, who mined her personal biography to discover life in France because the Nineteen Forties, was awarded this...

Take the uncertainty out of game funding with alternate sources, better pitches and more

Presented by XsollaFor indie video games, funding will be the largest impediment. But on this VB Live occasion, you’ll study all the things you...