Twilio: SMS Phishing Harvests Employee Credentials, Reaches 163 Customer Accounts
Attackers sent SMS messages to Twilio employees impersonating IT, directing them to a convincing phishing site. Captured credentials gave access to the customer data portal, exposing Authy two-factor accounts for 163 organisations.
Background
Twilio provides cloud communications and is the backbone of Authy, a widely used two-factor authentication app. Its employee directory and customer portal access made it a high-value phishing target. The attack was part of a broader campaign against over 130 organisations by a group called Scatter Spider / 0ktapus.
The Attack
Attackers sent SMS messages to Twilio employees stating their accounts required action or passwords had expired, with a link to a convincing fake Twilio login portal. At least three employees entered their credentials. Attackers used the captured credentials to access Twilio's internal customer portal, searching for records of specific high-value targets. They accessed data for 163 customer organisations and used Twilio's position as an SMS provider to compromise Authy 2FA seeds for some accounts, which they then used in downstream attacks against Cloudflare and other Twilio customers.
Response
Twilio identified the breach within days, revoked the compromised accounts, and notified affected customers. The company published a detailed incident report. Cloudflare, which was also targeted by the same campaign, successfully repelled the attack because employees used hardware security keys rather than SMS-based MFA.
Outcome
The Twilio breach demonstrated the power of targeting communications infrastructure: compromising the company that sends SMS messages can cascade to its customers' authentication systems. The broader 0ktapus campaign stole over 9,000 credentials across 130 organisations.
Key Takeaways
- SMS-based MFA can be bypassed when the SMS provider itself is compromised — use hardware keys
- Phishing campaigns increasingly target employees via personal SMS and WhatsApp, not just email
- Cloud communications providers are critical attack surfaces — their customer portals contain sensitive data at scale
- Hardware security keys (FIDO2) cannot be phished even if credentials are captured — Cloudflare proved this
How to Prevent This
All guidesUse hardware security keys for privileged and external-facing accounts
FIDO2/WebAuthn hardware security keys are phishing-proof — they cryptographically bind to the domain you registered them on, so a cloned login page cannot capture the credential. SMS-based two-factor codes can be intercepted via SIM-swapping or forwarded by a victim who receives a fraudulent phone call. The Twilio breach demonstrated exactly this: employees entered SMS codes into a phishing page. Hardware keys like YubiKey make that attack impossible. Deploy them first for all administrators, executives, and anyone with access to production systems or financial controls.
Migrate from SMS and TOTP to phishing-resistant MFA
SMS two-factor authentication is vulnerable to SIM-swapping, SS7 interception, and real-time phishing relay. TOTP (authenticator app) codes are better than SMS but can still be captured on a convincing phishing page. Phishing-resistant MFA — FIDO2 hardware keys or passkeys — cannot be forwarded to an attacker's server because the credential is cryptographically bound to the exact domain. When Cloudflare was targeted by the same 0ktapus campaign that successfully breached Twilio, Cloudflare survived because their employees used hardware keys. Prioritise migration for your highest-value accounts first.