Communications products company Twilio has published an incident report on a successful phishing attack the company suffered on August 4, which resulted in a data breach for some of its customers' accounts.
Unknown attackers registered the twilio-sso.com and twilio-okta.com domain names at registrar Porkbun, and created phishing sites for them, iTnews learnt.
Okta refers to the well-known identity and management company, and SSO stands for single sign on, an authentication scheme for users.
With the phishing sites operational, the attackers then sent short messaging service (SMS) texts purporting to be from the company's IT department to employees.
The messages asked staffers to either update their passwords, or to view their changed Twilio schedules.
Some employees were fooled by the phishing messages sent through United States telcos, and provided their credentials to the attackers, who proceeded to access Twilio's internal systems.
The company would not say how many staff fell for the phishing attack, but said the hackers "seemed to have sophisticated abilities to match employee names from sources with their phone numbers".
Nor would Twilio reveal how many customer accounts had their data breached, saying only "a limited number" were affected by the hack.
Since the attack, Twilio, has revoked access for the hacked employees, and is contacting customers affected by the data breach.
Employees are also to undergo mandatory security training to help them withstand future social engineering attacks.
The identity of the hackers remains unknown, and Twilio said it has heard of other companies suffering similar attacks, with different carriers and hosting providers being used by them.
Twilio claims to have over 150,000 customers, including big brands such as Facebook, AirBnB, Dell and Salesforce.
Update August 10: Story amended to correct the phishing domain registrar information. We regret the error.
Update August 12: "We have identified approximately 125 Twilio customers whose data was accessed by malicious actors for limited period of time," the company said in an addendum to its post-mortem.
Twilio added that it has notified all affected customers, and said there is no evidence that their passwords, authentication tokens, or application programming interface keys were accessed without authorisation.
