The number of companies caught up in the Twilio hack keeps growing:
The compromises of Authy and LastPass are the most concerning of the new revelations. Authy says it stores two-
factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained in
previous breaches, these tokens may have been the only things preventing the takeover of more accounts. Authy,
which Twilio owns, said that the threat actor used its access to log in to only 93 individual accounts and enroll new
devices that could receive one-time passwords. Depending on who those accounts belong to, that could be very
bad. Authy said it has since removed unauthorized devices from those accounts.
LastPass said the same threat actor used data taken from Twilio to gain unauthorized access through a single
compromised developer account to portions of the password manager's development environment. From there,
the phishers "took portions of source code and some proprietary LastPass technical information." LastPass said
that master passwords, encrypted passwords and other data stored in customer accounts, and customers'
personal information weren't affected. While the LastPass data known to be obtained isn't especially sensitive, any
breach involving a major password management provider is serious, given the wealth of data it stores.
DoorDash also said that an undisclosed number of customers had their names, email addresses, delivery
addresses, phone numbers, and partial payment card numbers stolen by the same threat actor. The threat actor
obtained names, phone numbers, and email addresses from an undisclosed number of DoorDash contractors.
As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision.
The threat actors had private phone numbers of employees, more than 169 counterfeit domains mimicking Okta
and other security providers, and the ability to bypass 2FA protections that used one-time passwords.
The threat actor's ability to leverage data obtained in one breach to wage supply-chain attacks against the victims'
customers—and its ability to remain undetected since March—demonstrates its resourcefulness and skill. It's not
uncommon for companies that announce breaches to update their disclosures in the days or weeks following to
include additional information that was compromised. It won't be surprising if one or more victims here do the
If there's a lesson in this whole mess, it's that not all 2FA is equal. One-time passwords sent by SMS or generated
by authenticator apps are as phishable as passwords are, and that's what allowed the threat actors to bypass this
last form of defense against account takeovers.
One company that was targeted but didn't fall victim was Cloudflare. The reason: Cloudflare employees relied on
2FA that used physical keys such as Yubikeys, which can't be phished. Companies spouting the tired mantra that
they take security seriously shouldn't be taken seriously unless physical key-based 2FA is a staple of their digital