The fallout from this month’s breach on security provider Twilio continues to come. Three new companies — authentication service Authy, password manager LastPass and food delivery service DoorDash — said in recent days that the Twilio compromise led to them being hacked.
The three companies join authentication service Okta and secure messenger provider Signal in the dubious club of Twilio customers known to be compromised in follow-up attacks that use the data obtained by the intruders. In all, security firm Group-IB said on Thursday that at least 136 companies have been hacked in the same way, so it’s likely many more victims will be announced in the coming days and weeks.
Sometimes resourceful
The Authy and LastPass compromises are the most concerning of the new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained from previous breaches, these tokens may be the only things that prevented the takeover of more accounts. Authy, which Twilio owns, said the threat actor used its access to log into just 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who those accounts are, that can be really bad. Authy said it has since removed unauthorized devices from those accounts.
LastPass said the same threat actor used Twilio data to gain unauthorized access through a single compromised developer account to parts of the password manager’s development environment. From there, the phishers took “portions of the source code and some proprietary technical information from LastPass.” LastPass said master passwords, encrypted passwords and other data stored in customer accounts and customer personal information were not compromised. While the LastPass data known to be obtained isn’t particularly sensitive, any breach involving a major password management provider is serious given the wealth of data it stores.
DoorDash also said an undisclosed number of customers had their names, email addresses, delivery addresses, phone numbers and partial payment card numbers stolen by the same threat actor. The threat actor was given names, phone numbers and email addresses of an undisclosed number of DoorDash contractors.
As previously reported, the first phishing attack on Twilio was well planned and executed with surgical precision. The threat actors had private phone numbers of employees, more than 169 forged domains that mimicked Okta and other security providers, and the ability to bypass 2FA protections that used one-time passwords.
The threat actor’s ability to use data obtained in a single breach to launch supply chain attacks against the victims’ customers — and its ability to go undetected since March — shows its ingenuity and skill. It is not uncommon for companies announcing breaches to update their disclosures in the days or weeks after with additional information that has been compromised. It won’t be surprising if one or more victims here do the same.
If there’s a lesson in this whole mess, it’s that not all 2FA is created equal. One-time passwords sent by text message or generated by authenticator apps are just as phishable as passwords, which is what allowed the threat actors to bypass this last form of defense against account takeovers.
One company that was targeted but not victimized was Cloudflare. The reason: Cloudflare employees relied on 2FA using physical keys like Yubikeys, which cannot be phishing. Companies that proclaim the tired mantra that they take security seriously should not be taken seriously unless 2FA based on physical keys is a staple of their digital hygiene.