When communications giant Twilio began working with the major access management company Okta, Twilio’s IT Administrator Seth Hardiman was quoted as saying, “Now Twilio won’t have to react to a data breach or data loss. We have the pieces in place to protect our data.”
Unfortunately, on the 8th of August 2022, the internet lit up with reports that Twilio had been hit with a social engineering attack. In the wake of this hack, we’ve learned that at least 125 of Twilio’s customers were affected, including the encrypted messaging app, Signal. The Signal breach alone exposed the phone numbers of around 1,900 users, and we’re yet to see just how far the hackers were able to get.
This attack came five months after the revelation that Okta itself had been hacked. Though Okta claims their event was a non-starter for the hacking group responsible, this situation nevertheless offers valuable insight for other business owners. So, the Invotec team has delved into the details to bring you five timely takeaways from the Okta and Twilio social engineering attacks.
No company is immune to cyberattacks
Okta provides an authentication hub that allows its customers to securely manage access to their technology platforms. If you use enterprise software like Microsoft Office 365, Salesforce, or Google Workspace, Okta gives you the power to control and monitor where, when, and how authorised users log in. The problem, of course, is that if a hacker deploys a successful social engineering attack, they may be able to gain access to your entire software stack – not exactly a comforting prospect.
Twilio, meanwhile, offers secure and programmable communication tools, allowing customers to seamlessly embed SIP, VoIP, or PSTN calling into their apps and websites. Once again, customers place a lot of trust in Twilio, and the company boasts of robust Two-factor Authentication (2FA), among other security measures.
The fact that two such security-aware tech giants were breached is all the proof you need that no business is immune to social engineering attacks. We’ll explore the reasons for this in more depth below, but for now, the lesson holds that you cannot afford to be lax or lazy about your cyber security.
It only takes one lapse of judgment from one person
The Twilio breach was achieved via a social engineering attack known as smishing. The Lapsus$ hacking group delivered text messages to Twilio employees that purported to be from the company’s IT department. Since Twilio uses the Okta platform, it’s possible that the earlier Okta attack gave the hackers enough information to be able to accurately replicate a legitimate internal SMS. The messages asked employees to follow a link to update their credentials. If they clicked the link, they would be taken to a page that looked just like the genuine Okta authentication page.
A crucial point to understand here is that not all employees who received the message complied with the request. However, all it takes is one person. Whether they’re unaware of social engineering attacks or simply having a bad day and not thinking straight, a single employee can provide the vector by which hackers gain access to your entire system.
This highlights the importance of cybersecurity training – not just as an onboarding process but as a regular, company-wide requirement. Cybercrime syndicates are growing more organised and sophisticated, with new tools and methods always under development. So, ongoing training is necessary to ensure all team members are aware of the routes via which attacks can come. Indeed, Twilio has since doubled down on its security training, putting its staff on “high alert” for potential social engineering attacks.
At a bare minimum, it’s crucial for employees to treat any link received from an unverified source as suspicious. It should become a habit to double-check the URL of any site that asks for your credentials. If in doubt, employees should have an easy process for forwarding the questionable message or URL to your IT department or Managed IT Service Provider for analysis.
Data breaches harm businesses in more ways than one
After an internal investigation, Okta claimed that the security breach lasted no longer than 25 minutes, with only two customer systems accessed. The forensic report suggests that Okta’s actions were aligned with disclosure and response best practices.
Still, it’s tough to calm the fear that arises when a company in the cyber security industry has its cyber security breached. Add to this the fact that Okta only went public after Lapsus$ took responsibility for the hack, and you can probably predict that the company’s reputation took a hit. Indeed, the BBC reported that Okta’s shares fell 9% when news of the hack broke.
Okta has since ended its relationship with the subcontractor via which the attack came, and they are working hard to restore customer faith in their systems. However, as Chief Security Officer David Bradbury acknowledged, a compromise such as this will always have a lasting impact on customers and their trust in a company.
Supply chain integrity is more important than ever
You can have the most robust cybersecurity on the planet, but if a link in your supply chain is weak, bad actors can leverage it to access your system. The Okta attack came via an employee of a subcontractor the company used for customer service. From this vector, the hacking group was able to access a company that supports major customers, including Twilio, JetBlue, Nordstrom, FedEx, and the US Department of Justice.
While Okta claims no real damage was done from its January attack, Group-IB has noted an ongoing campaign of social engineering attacks against Okta clients, with Twilio simply being the latest. This campaign has been code-named 0ktapus, and (apart from the obvious Okta reference) it’s not hard to see why. Twilio alone has more than 150,000 corporate customers, including Facebook and Uber, each one representing an arm of the octopus, able to be exploited once access to the head has been gained.
Here, it’s worth circling back to the fact that Okta failed to inform its clients about the January breach until March. Indeed, Okta only spoke publicly about it after the Lapsus$ hacking group published screenshots proving they’d accessed Okta’s system. This highlights how crucial it is to have upfront communication and processes in place with every business in your supply chain.
If you have any concerns about your business cybersecurity, you can take action by contacting Invotec today. As a Melbourne-based Managed Service Provider, we support some of Australia’s largest enterprises. Our skilled and experienced IT experts are on-hand to answer your questions and help you determine the best cybersecurity strategy going forward.
