New data breaches spark cybersecurity fears as Twilio confirms attack
Last week, cybercriminal group, ShinyHunters, claimed responsibility for compromising 33 million phone numbers from Twilio, a prominent U.S.-based messaging service.
Twilio confirmed this breach on Tuesday, revealing that the attackers accessed the phone numbers of users registered with Authy, its widely-used two-factor authentication (2FA) app. This incident has raised significant concerns over the security of user accounts reliant on multi-factor authentication (MFA).
According to Glenn Chisolm, Co-Founder of Obsidian, a company specialising in SaaS breach data, the pilfered phone numbers are valuable assets for cybercriminals.
"As more users adopt MFA, stolen numbers become an important asset for attackers - they can be used for SIM swapping threats or driving Smishing (phishing via SMS) attacks," Chisolm said. He explained that in about one-third of SaaS breaches, the initial intrusion point often involves self-service password reset (SSPR) combined with SIM swapping. Additionally, "Smishing used in attacker-in-the-middle (AiTM) attacks constitutes a further 36% of SaaS breaches," he added.
Twilio has announced a security update to address this breach, advising users to upgrade to Authy's latest versions: v25.1.0 for Android and v26.1.0 for iOS. However, it remains unclear whether the update will offer sufficient protection against potential misuse of the exposed data. Richard Bird, Chief Security Officer at Traceable AI, noted, "It took until 2024 after multiple security incidents for Twilio to finally stop accepting unauthenticated inquiries."
Bird criticised Twilio for its delayed response to security vulnerabilities, arguing that consistent breaches are the result of neglecting necessary precautions. "Breach after breach and zero change in behaviour until an exploit becomes catastrophic," he commented. Bird emphasised the necessity for cloud solution providers to be proactive, rather than reactive, in implementing security measures.
Obsidian's Chisolm also offered advice for users aiming to protect themselves in light of the breach. He recommended scrutinising any modifications to MFA devices and vigilantly monitoring exceptional account activities, such as access from unfamiliar locations or devices, anomalies in data access patterns, and the introduction of new API connections. "SaaS security is complex with every application being unique. It's critical to have appropriate proactive as well as defensive processes and controls in place," Chisolm explained.
This incident with Twilio is not an isolated event in the realm of data breaches targeting major tech companies. Alastair Paterson, CEO of Harmonic Security, commented on data breaches concerning companies like OpenAI. "Employees have been busy piling data into GenAI tools to improve their jobs, including a large amount of sensitive data inadvertently leaking out. Given how much data we're giving to OpenAI and other companies, if they're holding onto this data then it increases the risk of a malicious actor getting hold of your sensitive data," Paterson said. This comment underscores the broader risks associated with data retention by service providers.
As companies increasingly rely on advanced technologies and data-driven solutions, the frequency and impact of cyber-attacks are projected to escalate. Industry experts advocate for a robust security architecture, with emphasis on real-time monitoring and quick rectification of vulnerabilities. This incident serves as a stark reminder for both companies and users to stay vigilant and adopt stringent security practices.
The necessity for enhanced cybersecurity measures extends beyond corporate responsibilities, requiring users to actively engage in securing their own data. As the digital landscape evolves, so does the ingenuity of cybercriminals, mandating a collaborative effort to safeguard sensitive information.