A data breach at Twilio earlier this month was worse than initially reported: Now, the communications company says hackers accessed 93 user accounts for Authy, the Twilio-owned two-factor authentication app.
With these accounts, the attackers gained the ability to create their own login codes for connected third-party services. The hacking group has been busy: The food delivery platform DoorDash also just suffered a data breach, and it has been linked to the Twilio incident.
Twilio says it has found and removed all unauthorized devices connected to the compromised accounts, but it's unclear right now whether any additional third-party services were actively compromised as well.
Twilio's Two-Factor Authentication App Was Breached
The initial report revealed a successful phishing campaign on Twilio employees had exposed the data of over 100 Twilio customers.
Now we know that it was the work of a specific hacking group, “0ktapus,” which has likely stolen nearly 10,000 employee credentials from across 130 organizations since this March.
In an update to their first disclosure, Twilio notes that they have found the malicious actors were able to access the accounts of 93 individual Authy users (that's out of a total of around 75 million, Twilio is quick to point out). The hackers then registered additional devices to those accounts.
How DoorDash Was Compromised
Twilio has since removed those devices, but the hackers probably didn't mind, given how quickly they were able to move on to DoorDash's breach.
According to DoorDash, the breached data included DoorDash customers' names, email addresses, delivery addresses, and phone numbers, after hackers gained access to internal tools through an unnamed third-party vendor.
The company hasn't released a timeline for when the breach occurred, but it's not their first: A breach that DoorDash reported in 2019 affected around 4.9 million customers and workers.
Staying Safe With a Distributed Workforce
Phishing attacks were up 400% last year, and this particular data breach illustrates the chain effect that one breach can have, as hackers were able to use their unauthorized access to break through DoorDash's cyber defenses as well.
Despite this clear example of the downsides to two-factor authentication, we'd still recommend turning the feature on whenever it's available in any business software you may use.
After all, two-factor authentication is still safer than not using it, and incidents like Twilio's data breach are unlikely to affect your personal account. The feature offers one more layer of protection on top of other security measures that can help, including user roles, VPNs, and a good password manager.