Okta Customer Data Exposed via Phishing Attack on Twilio

Twilio: Attackers Accessed Data for 163 Customers; Signal Also Affected
Okta Customer Data Exposed via Phishing Attack on Twilio

Identity and access management giant Okta says it suffered a customer data breach due to a "relentless phishing campaign" that has hit numerous technology firms.

See Also: Insights into Enhanced Cybersecurity Insurance Requirements: Meeting the demands of cyber risk insurers

Okta says some customers' authentication data was exposed by the attack on customer engagement platform Twilio, which that firm first disclosed publicly on Aug. 7.

"Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes," Okta says in a data breach report. "Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor."

In its breach report, Twilio said attackers tricked multiple employees into providing their access credentials, which the attackers used "to gain access to some of our internal systems, where they were able to access certain customer data" via a Twilio console.

So far, Okta and messaging platform Signal have disclosed they fell victim to this supply chain attack.

Okta Customer Data Exposed

In its breach notification, Okta says that as a result of that access to Twilio's systems, for some of its customers, "a small number of 1) mobile phone numbers and 2) associated SMS messages containing one-time passwords ('OTPs') were accessible to the threat actor via the Twilio console."

Twilio informed Okta of the data exposure on Aug. 8 and shared internal logs to help its security team investigate. "Okta prioritized routing of SMS-based communications to an alternative provider while we worked with Twilio's security team to understand the scope and impact of the incident," it says, adding that it was able to use the logs to identify exactly what was exposed.

Okta says its security team found evidence of a targeted attack, as well as incidental data exposure.

For the targeted attack, "the threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization," it says.

Okta believes the attacker was seeking to expand their access inside the targeted organization and "used credentials - usernames and passwords - previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for one-time passwords sent in those challenges."

For the duration of the attacker's access to the Twilio console displaying data for some Okta customers, Okta says the attacker could have viewed up to 50 mobile phone numbers but no usernames. Based on extensive analysis and threat hunting, Okta says it doesn't believe the attacker "targeted or used such mobile phone numbers."

Okta says it has notified all firms for which information was exposed and that "there are no actions necessary for customers at this time." But it also issued a list of best practices it advises customers to follow to better protect themselves.

Breach Affects 163 Twilio Customers

"To date, our investigation has identified 163 Twilio customers - out of a total customer base of over 270,000 - whose data was accessed without authorization for a limited period of time, and we have notified all of them," Twilio says in an update on its investigation, issued Wednesday.

Twilio says the attackers also compromised some users of the Authy two-factor authentication app for smartphones. "Our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users - out of a total of approximately 75 million users - and registered additional devices to their accounts," it says. "We have since identified and removed unauthorized devices from these Authy accounts."

'Scatter Swine'/'0ktapus' Campaign

Okta has given the phishing campaign the codename "Scatter Swine" and says it has been repeatedly and directly targeted by the attackers but has not fallen victim to those direct attacks.

Cybersecurity firm Group-IB, which refers to the campaign as "0ktapus," given its focus on obtaining victims' Okta OTPs, last week reported that at least 130 organizations have been direct victims and nearly 10,000 credentials have been exposed.

Beyond Twilio, food delivery firm DoorDash, as well as email service provider Mailchimp and marketing firm Klaviyo, have also said they fell victim to the campaign (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort).

Samples of the SMS messages used to phish Twilio employees (Source: Twilio)

Group-IB says the attackers' MO is to send an SMS message to targets with a link to a legitimate-looking phishing site registered by attackers. The phishing page is designed to trick the recipient into entering their username, password and OTP.

Okta says these are common formats for spoof domains used in the campaign. (Click to expand)

"The threat actor registers domain names in common formats in order to socially engineer targets into entering their credentials into their phishing sites," Okta says. "We have also observed the threat actor triggering multiple push notifications in an attempt to trick a target into allowing access to the account." It notes that OTPs are only valid for five minutes.

Group-IB, which was able to access the Telegram channel being used by the attacker's phishing toolkit to relay stolen data, said the attacks didn't always capture an email address that could be used to identity the organization. Hence not all victims' identities could be ascertained.

Some of the spoof domains that appear to have been registered by the attackers, however, include variations on the names Acronis, Avast, Broadcom, Citrix, Eset, Fortinet, Microsoft, Mozilla and Sophos. Hence these companies likely have been - or will be - targeted.

After following a trail of Telegram accounts, Group-IB researchers identified a suspected leader of the campaign, who they say is "allegedly a 22-year-old software developer" living in North Carolina. The researchers say they shared their findings with law enforcement agencies.

Okta's Best Practice Recommendations

Based on the phishing campaign, Okta has detailed a number of best practices it advises customers to follow, to better safeguard themselves against these types of attacks. They include restricting access to a list of approved devices - especially for sensitive information and systems - as well as "behavior detection," since "this threat actor is almost always attempting to authenticate from a new device and new IP that has no previous association with the user."

In addition, Okta recommends using "strong authenticators with the most phishing-resistant properties, such as the Web Authentication web standard - aka WebAuthn; physical smart keys that comply with U2F, aka FIDO Universal 2nd Factor Authentication; and smart cards.

Similar advice has been issued by other firms. Cloudflare says it fell victim to the same phishing campaign as Twilio and that several employees were tricked into divulging their passwords and OTPs. But thanks to the firm using security keys, even after attackers obtained the OTPs, their attempts to authenticate to Cloudflare's systems failed (see: Hardware MFA Stops Attack on Cloudflare).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.