The attack on authentication company Twilio early this month appears to be much broader than first thought. Password manager LastPass and authentication company Authy are also among the victims.
With two-factor authentication, in addition to your password, you also need an extra unique code or confirmation to log in.
At the beginning of August, it became known that data was stolen from the American communications giant Twilio. The company, which provides multi-step authentication to Facebook and Uber, among other things, was the victim of a phishing attack in which the hackers gained access to a customer database.
Now security guard Group-IB says in a report that the attack is part of a much broader phishing campaign that hit at least 136 companies. The security guard gives that campaign the name oktapus, after the authentication company whose software is used by many of the victims. The victims would include authentication company, Twilio subsidiary Authy, password manager LastPass, and American meal supplier DoorDash. All three announced a data breach in recent weeks.
Messaging service Signal and authentication software supplier Okta also announced that their data was being accessed as a result of the Twilio hack. In the case of Okta, it is already the second attack this year. Data from that attack on Okta in March was believed to have been used to bolster the following phishing attacks.
According to Group-IB, 136 companies were attacked by the same group as Twilio, using a sophisticated form of phishing. Targets who work for one of the 136 companies receive a text message that sends them to a fake version of an Okta authentication login screen. The attack aims to intercept Okta logins and authentication codes from the victims in this way and thus login to the companies in question.
The targets and victims of this group are a little worrisome because many of them are companies that provide authentication for others. So it would be supply chain attacks that should give access to other companies—for example, Authy stores tokens for two-step verification (2FA) for 75 million users. The attack on the company was apparently used to add new devices that could receive one-time passwords. In the meantime, they would have been removed by the company itself. LastPass saw some of its source code stolen, but passwords and other customer account data were not compromised.
Okta says in its own report that in its attack on the Okta network, the group specifically looked for phone numbers, a majority of which belong to the same company. So that makes it seem that the attackers want to get into that company in this way.
The campaign already shows that not every form of 2FA is equally safe. The system is still a lot better than just a password but can be ‘cracked’ with enough effort and time. The group behind this campaign is specifically working on intercepting authentication text messages in order to break in further. You can also tell by the story of one of the targets that were not broken into: Cloudflare. That company claims to be targeted like the others, but its staff uses 2FA via physical keys, such as Yubikey. Those codes are a lot harder to intercept than a text message, which made the attackers at this company blunt.