Cloud communications provider Twilio Inc. disclosed today that it was targeted by a cyberattack that led to the theft of employee credentials, which in turn gave the hackers access to a “limited number” of customer accounts.

The company said in a blog post that it became aware of the attack on Aug. 4. Employees were being targeted by a “sophisticated social engineering attack,” which would be described as a phishing attack, designed to trick them into giving up their credentials.

“The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data,” the company said. “We continue to notify and are working directly with customers who were affected by this incident. We are still early in our investigation, which is ongoing.”

During a phishing attack, a hacker crafts a message that appears to be official messaging in an attempt to trick a person into providing information. In this case, the attacker impersonated Twilio by making it appear that messages came from the information technology department suggesting that employees’ passwords had expired or that they needed to schedule meetings including a link.

To sell the impersonation, messages included URLs with the words “Twilio,” “Okta” and “SSO,” all keywords associated with things employees would expect from the IT department.

If the employees clicked on links, they were taken to web pages that looked exactly like official internal Twilio pages, except that they were completely controlled by the hackers. The pages also featured a log-in, asking the employees to enter their credentials so that they could change their password or set up their meeting. From there the credentials would have been stolen.

Upon discovering the breach, Twilio’s security team immediately revoked access to the compromised accounts to mitigate the attack and the company said it’s employing a forensic team to aid its ongoing investigation. The affected customers are being notified on an individual basis.

Twilio also said that it was working with the U.S. carriers where the text messages originated to shut down further distribution. And the company worked with the hosting providers that service the malicious pages to shut those accounts down.

“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs,” the company said. “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.”

Twilio did not reveal details of which customers were affected or what data was affected.

The company provides communication application programming interfaces for SMS, voice, video and other communications channels for over 268,000 active customer accounts.

Because of their nature, phishing attacks are extremely hard to prevent because they subvert technology by fooling people instead. Knowing this, Twilio said, the company intends to redouble its efforts to educate its staff about social engineering attacks and increase awareness.

Photo: Twilio