Skip to main content
close search
site logo
Dive Brief

Okta entangled by Twilio phishing attack

The threat actor initiated one-time password requests as they searched dozens of phone numbers linked to a single targeted organization.

Published Aug. 30, 2022
Matt Kapko's headshot
Senior Reporter
A password field reflected on a eye.
Leon Neal via Getty Images

Dive Brief:

  • The threat actor behind the Aug. 4 phishing attack against Twilio gained access to the phone numbers and text messages containing one-time passwords of multiple Okta customers. Okta, in an update last week, disclosed it was one of the 163 Twilio customers impacted by the attack.
  • Once the threat actor gained access to Twilio’s internal systems, they performed searches in Twilio’s administrative portal for messages sent using Okta’s Twilio account. “The threat actor specifically searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization,” Okta wrote in its blog post.
  • Twilio notified Okta that “unspecified data” was exposed four days after it first became aware of the attack. Okta rerouted text message communications to another provider after it was informed of the compromise.

Dive Insight:

The phishing attack against Twilio continues to unravel, as more victims are discovered and come forward with details about various levels of exposure. The incident bears the markings of a persistent and sophisticated campaign that engulfed IT service providers, which can lead the threat actor to additional downstream targets.

The threat actor exploited usernames and passwords stolen in previous phishing campaigns to trigger text-message authentication processes, and used its access to Twilio’s systems to search for one-time passwords sent as a result of those two-factor authentication requests, according to Okta. 

A “small number” of customers were notified about the potential impact, and Okta emphasized the one-time passwords expire after five minutes.

Okta investigated internal system logs provided by Twilio and determined primary and secondary customer data was exposed during the attack. This included phone numbers belonging to Okta customers the threat actor searched for directly, and “incidental” phone numbers that were subsequently exposed but not specifically targeted by the threat actor.

The threat actor took no action to intentionally access the incidental phone numbers, and did not target or use that exposed data belonging to Okta customers, according to Okta. The company said Okta usernames are not visible in Twilio logs.

Okta, which refers to the persistent phishing campaign as “Scatter Swine” instead of the “Oktapus” moniker dubbed by cybersecurity vendor Group-IB, said the threat actor targeted multiple technology companies for months.

The adversary, which first initiated the attacks in March, has compromised almost 10,000 user credentials across 136 organizations, according to Group-IB. This includes text message phishing attacks that allowed it to steal Okta identity credentials and authentication codes, the researchers said.

While Okta admits some phone numbers and one-time passwords have been exposed, it asserts no accounts were accessed by the threat actor.

“Scatter Swine has directly targeted Okta via phishing campaigns on several occasions but was unable to access accounts due to the strong authentication policies that protect access to our applications,” Okta said. 

Okta earlier this year initially denied then later admitted it was breached by the extortion group Lapsus$. The group gained access to Okta data through a third-party vendor then published screenshots to boast of the exploit and goad Okta’s response.

Okta detailed many of Scatter Swine’s tactics, techniques and procedures to help other organizations with threat hunting activities. 

The threat actor sometimes calls targeted individuals and impersonates support in a bid to understand how authentication works, according to Okta. Targets thus far include technology companies, telecommunications providers and organizations or individuals linked to cryptocurrency.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.