Dive Brief:
- An attack targeting an unnamed telecom provider exposed multifactor authentication message logs used by Cisco Duo customers, Cisco’s Data Privacy and Incident Response Team said in an email it sent to impacted customers.
- “Based on information received from the supplier to date, we assessed that approximately 1% of Duo's customers were impacted. Our investigation is ongoing, and we are notifying affected customers via our established channels as appropriate,” a Cisco spokesperson said Tuesday via email.
- An attacker intruded the telecom provider’s internal systems April 1 after they obtained an employee’s credential via a phishing attack, according to Cisco. The attacker used that access to steal Cisco Duo customers’ MFA SMS message logs that were transmitted March 1 through March 31.
Dive Insight:
Cisco Duo has more than 100,000 customers globally, and, following the breach, roughly 1,000 of those business customers are now at risk, according to Cisco’s assessment. Cisco acquired Duo, an MFA and single sign-on provider, for $2.35 billion in 2018.
“Cisco is actively working with the supplier to investigate and address the incident,” a company spokesperson said.
The attacker exfiltrated message logs containing phone numbers, carrier information, geographic data, and the date, time, and type of message sent.
Cisco declined to name the telecom provider, but a spokesperson said the third-party vendor sends Duo MFA messages via SMS and VoIP to recipients in North America.
The attacker did not use their internal systems access to send messages to any of the numbers contained in the message logs, the provider told Cisco.
“According to the provider, upon discovering the incident, the provider immediately commenced an investigation and implemented mitigation measures, including immediately invalidating the employee’s credentials, analyzing activity logs, and notifying Cisco of the incident,” Cisco said in the email sent to impacted customers.
The telecom provider also told Cisco it is taking measures to prevent and further mitigate the risk associated with social engineering attacks.
Cisco said impacted customers can request a copy of the message logs stolen by the attacker.
MFA and single-sign on providers are regularly targeted by cybercriminals. A 2022 phishing attack against the identity authentication provider Twilio exposed the data of more than 160 customers.
Throughout 2022 and 2023, Okta was beset by multiple breaches, and a string of attacks that hit high-profile Okta customer environments. A September 2023 attack against Okta’s support portal impacted all of the company’s customer support system clients.
Correction: This article and its headline have been updated to reflect that an attacker accessed some Cisco Duo customers’ SMS message logs for multifactor authentication.