Hackers Behind Twilio’s Data Breach Also Compromised DoorDash

Twilio says it has now revoked all unauthorized access, but the hacking group has found plenty of new targets.
Adam Rowe

A data breach at Twilio earlier this month was worse than initially reported: Now, the communications company says hackers accessed 93 user accounts for Authy, the Twilio-owned two-factor authentication app.

With these accounts, the attackers gained the ability to create their own login codes for connected third-party services. The hacking group has been busy: The food delivery platform DoorDash also just suffered a data breach, and it has been linked to the Twilio incident.

Twilio says it has found and removed all unauthorized devices connected to the compromised accounts, but it's unclear right now whether any additional third-party services were actively compromised as well.

Twilio's Two-Factor Authentication App Was Breached

The initial report revealed a successful phishing campaign on Twilio employees had exposed the data of over 100 Twilio customers.

Now we know that it was the work of a specific hacking group, “0ktapus,” which has likely stolen nearly 10,000 employee credentials from across 130 organizations since this March.

In an update to their first disclosure, Twilio notes that they have found the malicious actors were able to access the accounts of 93 individual Authy users (that's out of a total of around 75 million, Twilio is quick to point out). The hackers then registered additional devices to those accounts.

How DoorDash Was Compromised

Twilio has since removed those devices, but the hackers probably didn't mind, given how quickly they were able to move on to DoorDash's breach.

According to DoorDash, the breached data included DoorDash customers' names, email addresses, delivery addresses, and phone numbers, after hackers gained access to internal tools through an unnamed third-party vendor.

The company hasn't released a timeline for when the breach occurred, but it's not their first: A breach that DoorDash reported in 2019 affected around 4.9 million customers and workers.

Staying Safe With a Distributed Workforce

Phishing attacks were up 400% last year, and this particular data breach illustrates the chain effect that one breach can have, as hackers were able to use their unauthorized access to break through DoorDash's cyber defenses as well.

Despite this clear example of the downsides to two-factor authentication, we'd still recommend turning the feature on whenever it's available in any business software you may use.

After all, two-factor authentication is still safer than not using it, and incidents like Twilio's data breach are unlikely to affect your personal account. The feature offers one more layer of protection on top of other security measures that can help, including user roles, VPNs, and a good password manager.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He's also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he's hunting own the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals