Incident Report: Employee and Customer Account Compromise

Twilio has disclosed a security incident involving an SMS phishing attack that targeted Twilio employees, resulting in unauthorized access to some internal systems. The attackers used sophisticated social engineering tactics, including fake text messages purporting to be from the IT department, to trick employees into providing their credentials. The attackers gained access to customer data and were able to access certain customer information, but no passwords or authentication tokens were accessed without authorization. Twilio has notified affected customers and is working to improve its security posture, including implementing additional measures such as stronger two-factor precautions, increased VPN controls, and mandatory security training for employees.