×
the Twilio hack keeps growing:

The number of companies caught up in the Twilio hack keeps growing:

The compromises of Authy and LastPass are the most concerning of the new revelations. Authy says it stores two-

factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained in

previous breaches, these tokens may have been the only things preventing the takeover of more accounts. Authy,

which Twilio owns, said that the threat actor used its access to log in to only 93 individual accounts and enroll new

devices that could receive one-time passwords. Depending on who those accounts belong to, that could be very

bad. Authy said it has since removed unauthorized devices from those accounts.


LastPass said the same threat actor used data taken from Twilio to gain unauthorized access through a single

compromised developer account to portions of the password manager's development environment. From there,

the phishers "took portions of source code and some proprietary LastPass technical information." LastPass said

that master passwords, encrypted passwords and other data stored in customer accounts, and customers'

personal information weren't affected. While the LastPass data known to be obtained isn't especially sensitive, any

breach involving a major password management provider is serious, given the wealth of data it stores.

DoorDash also said that an undisclosed number of customers had their names, email addresses, delivery

addresses, phone numbers, and partial payment card numbers stolen by the same threat actor. The threat actor

obtained names, phone numbers, and email addresses from an undisclosed number of DoorDash contractors.

As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision.

The threat actors had private phone numbers of employees, more than 169 counterfeit domains mimicking Okta

and other security providers, and the ability to bypass 2FA protections that used one-time passwords.

The threat actor's ability to leverage data obtained in one breach to wage supply-chain attacks against the victims'

customers—and its ability to remain undetected since March—demonstrates its resourcefulness and skill. It's not

uncommon for companies that announce breaches to update their disclosures in the days or weeks following to

include additional information that was compromised. It won't be surprising if one or more victims here do the

same.


If there's a lesson in this whole mess, it's that not all 2FA is equal. One-time passwords sent by SMS or generated

by authenticator apps are as phishable as passwords are, and that's what allowed the threat actors to bypass this

last form of defense against account takeovers.


One company that was targeted but didn't fall victim was Cloudflare. The reason: Cloudflare employees relied on

2FA that used physical keys such as Yubikeys, which can't be phished. Companies spouting the tired mantra that

they take security seriously shouldn't be taken seriously unless physical key-based 2FA is a staple of their digital

hygiene.


sourcehttps://cyware.com/cyber-security-news-articles