Home>Blog>The Hacker News Headlines>Twilio Breach Also Compromised Authy Two-Factor Accounts of Some Users
The Hacker News Headlines

Twilio Breach Also Compromised Authy Two-Factor Accounts of Some Users

Twilio Security Breach

Twilio, which earlier this month became a sophisticated phishing attack[1], disclosed last week
that the threat actors also managed to gain access to the accounts
of 93 individual users of its Authy two-factor authentication (2FA)
service.

The communication tools company said[2]
the unauthorized access made it possible for the adversary to
register additional devices to those accounts. It has since
identified and removed the illegitimately added devices from the
impacted accounts.

Authy, acquired by Twilio in February 2015, allows safeguarding online
accounts[3] with a second security
layer to prevent account takeover attacks. It’s estimated to have
nearly 75 million users.

Twilio further noted its investigation as of August 24, 2022,
turned up 163 affected customers, up from 125 it reported on August
10, whose accounts it said were hacked for a limited period of
time.

CyberSecurity

Besides Twilio, the sprawling campaign, dubbed 0ktapus[4]
by Group-IB, is believed to have striked 136 companies, including
Klaviyo, MailChimp, and an unsuccessful attack against Cloudflare[5]
that was thwarted by the company’s use of hardware security
tokens.

Targeted companies span technology, telecommunications, and
cryptocurrency sectors, with the campaign employing a phishing kit
to capture usernames, passwords, and one-time passwords (OTPs) via
rogue landing pages that mimicked the Okta authentication pages of
the respective organizations.

The data was then secretly funneled to a Telegram account
controlled by the cybercriminals in real-time, following which
enabled the threat actor to pivot and target other services in
what’s called a supply chain attack aimed at Signal[6]
and Okta, effectively widening the scope and scale of the
intrusions.

In all, the phishing expedition is believed to have netted the
threat actor at least 9,931 user credentials and 5,441 multi-factor
authentication codes.

Okta, for its part, confirmed[7]
the credential theft had a ripple effect, resulting in the
unauthorized access of a small number of mobile phone numbers and
associated SMS messages containing OTPs through Twilio’s
administrative console.

Stating that the OTPs have a five-minute validity period, Okta
said the incident involved the attacker directly searching for 38
unique phone numbers on the console – nearly all of them belonging
to one single entity – with the goal of expanding their access.

“The threat actor used credentials (usernames and passwords)
previously stolen in phishing campaigns to trigger SMS-based MFA
challenges, and used access to Twilio systems to search for
one-time passwords sent in those challenges,” Okta theorized.

Okta, which is tracking the hacking group under the moniker
Scatter Swine, further revealed its analysis of the incident logs
“uncovered an event in which the threat actor successfully tested
this technique against a single account unrelated to the primary
target.”

CyberSecurity

Like in the case of Cloudflare, the identity and access
management (IAM) provider reiterated that it’s aware of several
cases where the attacker sent out a blast of SMS messages targeting
employees and their family members.

“The threat actor likely harvests mobile phone numbers from
commercially available data aggregation services that link phone
numbers to employees at specific organizations,” Okta pointed
out.

Another supply chain victim of the campaign is food delivery
service DoorDash, which said[8]
it detected “unusual and suspicious activity from a third-party
vendor’s computer network,” prompting the company to disable the
vendor’s access to its system to contain the breach.

According to the company, the break-in permitted the attacker to
access names, email addresses, delivery addresses, and phone
numbers associated with a “small percentage of individuals.” In
select cases, basic order information and partial payment card
information was also accessed.

DoorDash, which has directly notified affected users, noted that
the unauthorized party also obtained delivery drivers’ (aka
Dashers) names and phone numbers or email addresses, but emphasized
that passwords, bank account numbers, and Social Security numbers
were not accessed.

The San Francisco-based firm did not divulge additional details
on who the third-party vendor is, but it told TechCrunch that the
breach is linked[9]
to the 0ktapus phishing campaign.

References

  1. ^
    sophisticated phishing attack
    (thehackernews.com)
  2. ^
    said
    (www.twilio.com)
  3. ^
    safeguarding online accounts
    (authy.com)
  4. ^
    0ktapus
    (thehackernews.com)
  5. ^
    Cloudflare
    (thehackernews.com)
  6. ^
    Signal
    (thehackernews.com)
  7. ^
    confirmed
    (sec.okta.com)
  8. ^
    said
    (doordash.news)
  9. ^
    breach
    is linked     (techcrunch.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.