• by Ray Schultz , October 31, 2022

The malicious actors who breached Twilio’s security in July were also behind a smaller incident in June.  

These cyber criminals sent hundreds of smishing text messages to the mobile phones of current and former Twilio employees, Twilio says in a blog post.

In addition, they created fake Okta login pages, using such domains as twilio-sso.com, twilio.net, twilio.org, sendgrid-okta.org, twilio-okta.net, and twilio-okta.com. 

The result: Some Twilio employees entered their credentials on these fake pages. 

“The malicious actors then used the credentials of these Twilio employees to access internal Twilio administrative tools and applications to access certain customer information, which we have detailed in previous blog posts on the incident,” the post says. 

But only 209 users had their accounts impacted by the incident, the company adds. And there is no evidence that the threat actors accessed “Twilio customers’ console account credentials, authentication tokens or API keys,” it adds.

The company also concluded that the same malicious actors were behind the June incident, in which a Twilio employee was “socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information information for a limited number of customers.” 

Twilio, parent of the SendGrid email service, has taken these actions: 

- Resetting credentials of the compromised Twilio employee user accounts;

- Revoking all active sessions associated with the compromise of Okta-integrated apps 

- Blocking all indicators of compromise associated with the attack

- Initiating takedown requests of the fake Twilio domains.