The number of companies caught in recent hacks continues to rise
The number of companies caught in recent hacks continues to rise
Expand
Getty Images
In recent weeks, security provider Twilio revealed that it had been hacked by well-resourced phishers, who used their access to steal the data of 163 of its customers. Security firm Group-IB, meanwhile, said the same phishers who hit Twilio hacked at least 136 companies in similar advanced attacks.
In recent days, three companies, Twilio-owned Authy, password manager LastPass, and food delivery network DoorDash, have all disclosed data breaches that appear to be related to the same activity. Authentication service Okta and secure messaging provider Signal both recently said their data was accessed following the Twilio breach.
Group-IB said Thursday that at least 136 businesses have been phished by the same threat actor as Twilio. DoorDash is one of them, a company representative told TechCrunch.
Ingenious
The Authy and LastPass compromises are the most concerning of the new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained from previous breaches, these tokens may have been the only thing preventing the takeover of multiple accounts. Authy said the threat actor used his access to log into only 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who owns these accounts, this could be very bad. Authy said she has since removed unauthorized devices from these accounts.
LastPass said a malicious actor gained unauthorized access through a single compromised developer account to parts of the password manager development environment. From there, the threat actor "took portions of LastPass' source code and proprietary technical information." LastPass said master passwords, encrypted passwords, and other data stored in customer accounts, as well as customer personal information, were not affected. While the LastPass data known to be obtained is not particularly sensitive, any breach involving a major password management vendor is serious, given the wealth of data it stores.
DoorDash also said an undisclosed number of customers had their names, email addresses, shipping addresses, phone numbers, and partial payment card numbers stolen by the same malicious actor some call Scatter Swine. The threat actor obtained the names, phone numbers, and email addresses of an undisclosed number of DoorDash contractors.
As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision. Threat actors had private employee phone numbers, over 169 forged domains mimicking Okta and other security vendors, and the ability to bypass 2FA protections that used one-time passwords.
The threat actor's ability to leverage data obtained from a breach to launch supply chain attacks against victims' customers, and his ability to go undetected since March, demonstrates his ingenuity and skill. It is not uncommon for companies that announce breaches to update their disclosures within days or weeks to include additional information that has been compromised. It will come as no surprise if one or more victims here do the same.
If there's a lesson in this whole mess, it's that not all 2FAs are created equal. One-time passwords sent by text message or generated by authenticator apps are just as phishable as passwords, and this is what has allowed hackers to circumvent this latter form of defense against account takeovers.
In recent weeks, security provider Twilio revealed that it had been hacked by well-resourced phishers, who used their access to steal the data of 163 of its customers. Security firm Group-IB, meanwhile, said the same phishers who hit Twilio hacked at least 136 companies in similar advanced attacks.
In recent days, three companies, Twilio-owned Authy, password manager LastPass, and food delivery network DoorDash, have all disclosed data breaches that appear to be related to the same activity. Authentication service Okta and secure messaging provider Signal both recently said their data was accessed following the Twilio breach.
Group-IB said Thursday that at least 136 businesses have been phished by the same threat actor as Twilio. DoorDash is one of them, a company representative told TechCrunch.
Ingenious
The Authy and LastPass compromises are the most concerning of the new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained from previous breaches, these tokens may have been the only thing preventing the takeover of multiple accounts. Authy said the threat actor used his access to log into only 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who owns these accounts, this could be very bad. Authy said she has since removed unauthorized devices from these accounts.
LastPass said a malicious actor gained unauthorized access through a single compromised developer account to parts of the password manager development environment. From there, the threat actor "took portions of LastPass' source code and proprietary technical information." LastPass said master passwords, encrypted passwords, and other data stored in customer accounts, as well as customer personal information, were not affected. While the LastPass data known to be obtained is not particularly sensitive, any breach involving a major password management vendor is serious, given the wealth of data it stores.
DoorDash also said an undisclosed number of customers had their names, email addresses, shipping addresses, phone numbers, and partial payment card numbers stolen by the same malicious actor some call Scatter Swine. The threat actor obtained the names, phone numbers, and email addresses of an undisclosed number of DoorDash contractors.
As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision. Threat actors had private employee phone numbers, over 169 forged domains mimicking Okta and other security vendors, and the ability to bypass 2FA protections that used one-time passwords.
The threat actor's ability to leverage data obtained from a breach to launch supply chain attacks against victims' customers, and his ability to go undetected since March, demonstrates his ingenuity and skill. It is not uncommon for companies that announce breaches to update their disclosures within days or weeks to include additional information that has been compromised. It will come as no surprise if one or more victims here do the same.
If there's a lesson in this whole mess, it's that not all 2FAs are created equal. One-time passwords sent by text message or generated by authenticator apps are just as phishable as passwords, and this is what has allowed hackers to circumvent this latter form of defense against account takeovers.
Expand
Getty Images
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
