Sometimes an attack is not for the immediate impact, but for longer term results. Take the attacker behind the Twilio who was able to get in and steal one-time passwords (OTPs) delivered over SMS from customers of Okta identity and access management company, officials said.

Okta is a customizable, secure, and drop-in solution to add authentication and authorization services to applications. It provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio.

With access to the Twilio console, the threat actor could see mobile phone numbers and OTPs belonging to Okta customers.

On August 4, cloud communications company Twilio discovered that an unauthorized party gained access to its systems and information belonging to its customers.

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials,” Twilio said after discovering the attack.

Schneider Bold

“The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

At the time, one of the services Okta used for customers opting for SMS as an authentication factor provided by Twilio.

On August 8, Okta learned the Twilio hack exposed “unspecified data relevant to Okta” and started to route SMS-based communication through a different provider.

Through Twilio’s internal logs, Okta was able to determine the threat actor was able to gain access to phone numbers and OTP codes.

In this instance an OTP code remains valid for no more than five minutes, company officials said.

The company found the intruder searched for 38 phone numbers, almost all of them associated with one organization, indicating interest in gaining access to that client’s network.

As it turns out, hackers could see a larger number of phone numbers. However, Okta’s investigation discovered the intruder did not use these mobile phone numbers.

Twilio said the hacker accessed Authy 2FA accounts and registered their devices to obtain temporary tokens.


Pin It on Pinterest

Share This