Oktapus attack on Twilio exposes data of 163 companies

The phishing attack that led to a data breach for communications company Twilio has led to 163 companies, each with hundreds of customers of their own, being affected by the breach.

The breach, now referred to as Oktapus by researchers, involved a targeted phishing attack against Twilio employees to gain unauthorized access to Twilio’s servers and its customer data. The breach was discovered on 4 August.

The communications platform disclosed in an update on the attack that it has identified 163 Twilio customers whose “data was accessed without authorization for a limited period of time”. In addition 93 users of the two-factor authentication app Authy, which Twilio owns, saw their accounts accessed and additional devices registered by the bad actors. Twilio has since notified all users that had their accounts accessed and has removed all unauthorized devices.

A number of companies have reported that their customer data was compromised during the breach, including messaging app Signal, who reported 1,900 users may have had their phone numbers revealed to hackers, with some users directly targeted.

Food delivery company DoorDash said that a “small percentage of individuals whose data is maintained by DoorDash” had their personal data including name, email address, delivery address and phone number. In addition, a smaller number of customers had their “basic order information and partial payment card information” accessed during this data breach.

Since its attack, Twilio has said it enforced “a number of additional measures internally to protect against these attacks”, including “hardening security controls at multiple layers”. While Twilio says that malicious actors have continued to launch attacks, they have not seen any suspicious activity since 10 August.