Twilio 2022
A phishing SMS sent to Twilio employees opened a door into 130 downstream companies, including Signal and the Authy two-factor app itself.
In August 2022, the communications infrastructure company Twilio disclosed that attackers had successfully phished a number of its employees and used the resulting access to read customer data for a subset of the company's clients. The phishing messages were SMS, sent to employee personal phones, purporting to come from Twilio IT and instructing the recipient to log in through a convincingly cloned single-sign-on page.
A long, branded campaign
The same group — tracked by researchers as 0ktapus or Scatter Swine, an early incarnation of what would later be reorganized as Scattered Spider — ran the same playbook against more than a hundred and thirty companies over the same period. The phishing pages used a kit purpose-built to clone the Okta-branded SSO portals of each individual target. The crew collected credentials, then used them in real time to log in and grab session tokens.
The Signal consequence
Twilio happened to power Signal's phone-number verification. From inside Twilio's customer console, the attackers were able to re-register the Signal accounts of roughly 1,900 users — including, briefly, accounts belonging to public figures and journalists. Signal pushed an in-app notification to every affected user and stressed that message contents remained encrypted end-to-end. A separate Twilio subsidiary, Authy, issued similar advisories.
What the chronicle remembers
Twilio 2022 is the canonical demonstration that the modern SaaS stack makes upstream identity providers and communications APIs into single-point-of-failure dependencies. The blast radius of phishing a single Twilio engineer was not just Twilio. It was every product whose account-recovery flow ran through Twilio's wires.