At a glance.
- Twilio discloses a data breach.
- Social engineering at Klaviyo exposes customer data.
Twilio discloses a data breach.
Twilio, which TechCrunch describes as a "communications giant" whose platform enables developers to build voice and SMS features into their apps, has disclosed a data breach. "On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials," the company said in a blog post. "This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data." The company is working directly with affected customers, and it still has the incident under investigation. CyberScoop reports that Twilio is heavily used by political campaigns,
We received comments on the incident from several security experts. Jeannie Warner, director of product marketing at Exabeam, sees the incident as a cautionary tale about the dangers of phishing:
"This is a storybook case of the damage phishing links can do. Compromised credentials are often derived from a URL in a phishing message. A carefully crafted message containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company should aim to nip this problem early on by identifying and alerting these malicious links.
"There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domains/URL lookups. However, like any signature-based approach, newly-crafted phishing URLs cannot be identified this way. New machine learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries, such as technology and communications providers. Innovative organizations need a modern approach to securing their environments in order to spot these types of attacks quickly. To help achieve this, machine learning-powered SIEM, automated investigation and response tools, and UEBA technology should absolutely be part of their security stack."
Tim Prendergrast, CEO of strongDM, advises closer attention to access management:
“The Twilio breach that gave hackers access to customers’ data highlights how crucial strong access management and infrastructure are to maintain strong security. Attackers are relentlessly looking for ways into internal systems because it grants them a VIP pass into databases, and servers and access to everything companies don’t want leaked publicly. Once attackers get those valid credentials, they can wreak havoc internally. In this case, we’re seeing that SMS phishing messages baited Twilio employees into clicking links that warned them of password changes. The first step here is, rather than point fingers, because in truth this could have happened to anyone, that it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."
Neil Jones, director of cybersecurity evangelism at Egnyte, warns that social engineering can take many forms:
"The alleged cyber-attack on digital authentication provider Twilio reminds us that organizations' IT security programs are only as strong as their weakest links. Here, we see how social engineering and 'smishing' tactics can lead to fraudulent account access and ultimately impact a brand's reputation. The situation also demonstrates that users have a more intimate technical relationship with their mobile devices, making mobile-based attacks much more impactful on end-users. In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user's 'Business Need to Know' are powerful deterrents. You also need to re-educate your company's users that phishing attacks don't occur only by e-mail."
Erfan Shadabi, cybersecurity expert with comforte AG, sees human error as the backstory of this and other recent breaches:
“Many of the data breaches we have seen in the past few months have human error lurking within their backstories. Phishing is a type of cybercrime in which victims are contacted by an attacker posing as a trustworthy entity in order to obtain sensitive information or data, such as login credentials, credit card details, or other personally identifiable information.
"One of the best approaches to mitigate such attacks is to adopt the Zero Trust framework. Zero Trust means you assume you’ve already been breached, provide no implicit trust, verify again and again, and only provide minimal privileges upon successful authentication. Protection methods such as tokenization can complement this framework because by tokenizing sensitive data immediately upon entering the corporate data ecosystem—and then not de-protecting it—people can have minimal or no access to the truly sensitive information while still being able to accomplish tasks (like data analytics). Positive trends such as Zero Trust architectures, supported by more data-centric protection methods (protecting the data itself rather than the borders around it), can really help in the long run.”
Social engineering at Klaviyo exposes customer data.
In another incident traceable to credential theft, BleepingComputer reports that the email marketing firm Klaviyo has disclosed a data breach. The firm wrote on its blog, "On August 3rd, we identified a Klaviyo employee’s login credentials had been compromised, as a result of suspicious activity from our internal logging and a user report. This allowed a threat actor to gain access to the employee’s Klaviyo account and, as a result, some of our internal support tools." Klaviyo, much of whose business is focused on cryptocurrency, explained that the attacker seemed interested in two classes of information:
- "The threat actor used the internal customer support tools to search for primarily crypto related accounts and viewed list and segment information for 44 Klaviyo accounts. For 38 of these accounts, the threat actor downloaded list or segment information. The information downloaded contained names, email addresses, phone numbers, and some account specific custom profile properties for profiles in those lists or segments. All of these accounts have been notified with the details of which profiles and profile fields were accessed or downloaded.
- "The threat actor also viewed and downloaded two of Klaviyo’s internal lists used for product and marketing updates. These exports included information such as name, address, email address and phone number. The download did not include any passwords, password hashes, or credit card numbers. The download also did not include any account data for subscribers who have a Klaviyo account. All impacted individuals have been notified."
BleepingComputer says that it's aware of evidence that threat actors are actively looking for the data stolen in the breach. For now it's likely that the data will be either used by those who stole them or sold to other criminals in the C2C market. Eventually the information will probably simply be dumped online, but this incident is too young for that to have happened yet.