Twilio, a communications software popular with political campaigns, disclosed a breach that affected a “limited number” of customers. The company said in a blog post Sunday that it’s still in the early stages of its investigation.
Twilio says it became aware of the hack on Aug. 4 and has reached out to its customers and is working with the ones affected by the incident.
The company has more than 150,000 customers, including political campaigns and government agencies. The company’s platform is used to automate phone calls, text messages and other communications to customers or voters in the case of political organizations.
According to the political watchdog organization Open Secrets, Twilio received more than $7 million in payments from campaigns during the 2020 election season. Last month, The Washington Post reported that a Twilio “leased” phone numbers that a political action committee used to send misleading text messages about the Kansas abortion vote. Twilio later disabled the numbers.
Twilio’s government customers include the Department of Veterans Affairs and Government Services Administration, among others.
In an email to CyberScoop, Twilio declined to provide additional information about the scope of the breach, including what customer data may have been accessed.
According to a blog post from the company, attackers were unable to gain unauthorized access to Twilio customer accounts after successfully tricking several employees into providing their credentials. The hackers sent employees texts posing as Twilio’s IT department, warning the employees their passwords had expired and directing them to a link that impersonated the company’s login page.
Twilio says it’s worked with U.S. phone carriers and hosting providers to shut down the infrastructure used by the attackers.
“We have heard from other companies that they, too, were subject to similar attacks, and have coordinated our response to the threat actors – including collaborating with carriers to stop the malicious messages, as well as their registrars and hosting providers to shut down the malicious URLs,” Twilio wrote in a blog. “Despite this response, the threat actors have continued to rotate through carriers and hosting providers to resume their attacks.”
“The threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers,” the company said in a blog.
In 2021, a small number of Twilio customer emails were obtained by an unknown hacker as result of a breach of a tool used by the company, Codecov.