The fallout from this month’s breach of security provider Twilio keeps coming. Three new companies—authentication service Authy, password manager LastPass, and food delivery service DoorDash—said in recent days that the Twilio compromise led to them being hacked.
The three companies join authentication service Okta and secure messenger provider Signal in the dubious club of Twilio customers known to be breached in follow-on attacks that leveraged the data obtained by the intruders. In all, security firm Group-IB said on Thursday, at least 136 companies were similarly hacked, so it’s likely many more victims will be announced in the coming days and weeks.
The compromises of Authy and LastPass are the most concerning of the new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained in previous breaches, these tokens may have been the only things preventing the takeover of more accounts. Authy, which Twilio owns, said that the threat actor used its access to log in to only 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who those accounts belong to, that could be very bad. Authy said it has since removed unauthorized devices from those accounts.
LastPass said the same threat actor used data taken from Twilio to gain unauthorized access through a single compromised developer account to portions of the password manager’s development environment. From there, the phishers “took portions of source code and some proprietary LastPass technical information.” LastPass said that master passwords, encrypted passwords and other data stored in customer accounts, and customers’ personal information weren’t affected. While the LastPass data known to be obtained isn’t especially sensitive, any breach involving a major password management provider is serious, given the wealth of data it stores.
DoorDash also said that an undisclosed number of customers had their names, email addresses, delivery addresses, phone numbers, and partial payment card numbers stolen by the same threat actor. The threat actor obtained names, phone numbers, and email addresses from an undisclosed number of DoorDash contractors.
As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision. The threat actors had private phone numbers of employees, more than 169 counterfeit domains mimicking Okta and other security providers, and the ability to bypass 2FA protections that used one-time passwords.
The threat actor’s ability to leverage data obtained in one breach to wage supply-chain attacks against the victims’ customers—and its ability to remain undetected since March—demonstrates its resourcefulness and skill. It’s not uncommon for companies that announce breaches to update their disclosures in the days or weeks following to include additional information that was compromised. It won’t be surprising if one or more victims here do the same.
If there’s a lesson in this whole mess, it’s that not all 2FA is equal. One-time passwords sent by SMS or generated by authenticator apps are as phishable as passwords are, and that’s what allowed the threat actors to bypass this last form of defense against account takeovers.
One company that was targeted but didn’t fall victim was Cloudflare. The reason: Cloudflare employees relied on 2FA that used physical keys such as Yubikeys, which can’t be phished. Companies spouting the tired mantra that they take security seriously shouldn’t be taken seriously unless physical key-based 2FA is a staple of their digital hygiene.