back to article Twilio customer data exposed after its staffers got phished

Twilio confirmed someone breached its security and accessed "a limited number" of customer accounts after successfully phishing some of its employees. The company declined to respond to The Register's inquiries about how many customers' accounts were compromised and the type of data that the crooks stole, though the …

  1. simkin

    Sophisticated

    A lot of my users have been getting very targeted phishes claiming to be from managers, along with sigs matching the sender's actual titles, etc. Figured out it's just harvested from LinkedIn. Hard to protect people when they self-publish everything needed to pretend to be them.

  2. fidodogbreath

    Today we learned

    that Twilio doesn't use 2FA to protect accounts with privileged access to their backend systems and customer data.

  3. Doctor Syntax Silver badge

    Give an incorrect password the first time. The fake site has to believe it. If it was accepted then (a) you don't give a real one, (b) you can raise the alarm and (bc the scallies have duff data,

    1. Anonymous Coward
      Anonymous Coward

      Sure

      but I still prefer to, you know, check the URL before I open it. If the server behind that link is hosting attack code your fake password trick is only solving one problem when you face two.

      Though if you did feed a unique fake in and it pops up somewhere, that will connect some dots. But the attacker can easily check if it succeeded, so they should also be aware it's a fake after the failed login, and your machines IP may be the only thing that shows up in the logs. Unless you can cut over to a honeypot, which would let you flip that script in a fairly literal sense.

      1. Hawkeye Pierce

        Re: Sure

        Except as has been proven many times over, humans are **REALLY** bad at a) looking at the URL and b) determining whether it is valid.

        From mobile browsers hiding the URL, to non-Western characters in the domain to make it look right, to variations on the domain name (twilio-support.com, login-twilio.com, etc.), anyone, whether company or user, relying on reading the URL for their security is going to hit trouble.

        See https://www.troyhunt.com/humans-are-bad-at-urls-and-fonts-dont-matter/ for a good write-up with examples.

        1. ThatOne Silver badge
          Flame

          Re: Sure

          > humans are **REALLY** bad at a) looking at the URL and b) determining whether it is valid.

          And companies (especially banks and similar unimportant websites) are **REALLY** good at making legit URLs look as suspect as possible, clearly to progressively desensitize the victim customer until he accepts any funny looking URL as legit.

          That is, if the browser even allows you to see it, apparently nowadays URLs are considered uncool and something you shouldn't worry your pretty little head with... O tempora, o mores...

          1. iron

            Re: Sure

            Which is why you don't click any links in emails and go to the company's website manually instead.

    2. ThatOne Silver badge

      > If it was accepted then (a) you don't give a real one, (b) you can raise the alarm

      Won't work, because usually the attacker site immediately uses it to log in, so he will immediately know it's incorrect and most likely tell you and ask for the correct one, much like the legit site.

      In breaches of this kind time is precious, the attackers will try to establish a solid foothold in your network before somebody smarter then the rest sounds the alarm and passwords get changed.

    3. Anonymous Coward
      Anonymous Coward

      Bad advice

      > Give an incorrect password the first time

      DON'T do that.

      You've thought about it. So have the people who make a living out of this. The credentials are checked real time, which is also how you get around 2FA.

      If in any doubt at all about the legitimacy of a site just don't login, plain and simple.

  4. IGotOut Silver badge

    Hmmm

    "the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers,"

    95% of LinkedIn users?

    1. ThatOne Silver badge

      Re: Hmmm

      > seemed to have sophisticated abilities

      Like entering a name in a search engine and (brace yourself!) jotting down the results?

      1. fidodogbreath

        Re: Hmmm

        No, they're even more sophisticated. They use copy & paste!

        HOW CAN YOU DEFEND AGAINST AN ATTACKER WITH SUCH ADVANCED CAPABILITIES?!?!

        I'm still puzzled that Twilio does not seem to use 2FA, since they are the developer of Authy.

        1. Diogenes8080

          Re: Hmmm

          And Brian Krebs put the boot in Twilio for lack of MFA nearly 2 years ago to the day:

          https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like