Hackers behind a phishing attack that compromised accounts on cloud communications provider Twilio Inc. used their access to intercept onetime passwords issued by Okta Inc.

The hack on Twilio took place on Aug. 4 and involved the theft of employee credentials that in turn gave the hacker access to a limited number of customer accounts. To gain further access, the attacker impersonated Twilio’s information technology department in emails suggesting that employees’ passwords had expired or that they needed to schedule meetings, including a link. The link was to a fake web page that looked like official internal Twilio pages where employees were asked to enter their credentials.

How many customers had their accounts exposed is not clear. However, it was later revealed that the hack may have exposed the phone numbers of 1,900 users of the encrypted messaging app Signal. The same hacking group was reported on Aug. 25 to have breached 130 organizations, including Mailchimp and DigitalOcean Holdings Inc.

More details of the Twilio hack have come to light, with information of 163 Twilio customers now confirmed to have been compromised. But in an interesting twist, 93 of those accounts also had incoming Authy two-factor authentication messages hijacked. The hackers did so by registering additional devices to those accounts so they also received the 2FA messages.

“We have since identified and removed unauthorized devices from these Authy accounts,” Twilio said in an Aug. 24 status update. “Twilio purchased Authy in 2015 and various elements of Twilio’s platform support the functionality of Authy.” Account users affected have been notified and provided with additional guidance to protect their accounts.

Notably, in some cases, the attackers specifically looked for Twilio and Authy users with Okta accounts. They searched for 38 Okta-related phone numbers in Twilio’s admin panel, most of them associated with one organization that uses Okta.

“Software as a service has become an essential part of any application’s stack, so it’s natural that they are also a massive source of supply-chain risk,” Abhay Bhargav, chief executive officer and founder at AppSec training platform AppSecEngineer PTE Ltd., told SiliconANGLE today. “We saw this with DigitalOcean and Mailchimp and we’re seeing this with Twilio and OTP delivery.”

Bhargay added that attackers today are looking to perform “ecosystem”-style attacks where they compromise targets that have massive downstream ecosystems such as Twilio’s customers. “It’s important for organizations to include these SaaS tools as part of their threat models and actively consider an incident response with this in mind,” he said.

Photo: Twilio