The hackers that breached outsource customer communications vendor Twilio earlier this month didn’t just compromise encrypted communications app vendor Signal.
In fact, they compromised more than 130 companies and 10,000 employees.
Why? because Twilio is a vendor to all of these companies and these companies trusted Twilio.
And, apparently, Twilio’s security practices were not good enough.
The attackers pretended to make requests that came from Twilio, so Twilio’s customers trusted them and handed over the requested credentials.
It appears that the hackers targeted Twilio customers that used Okta; as a result the hackers are being called Oktapus.
In addition to being really active in assessing your vendors’ security practices, you also need to look at their software development practices and employee training.
What risk does that vendor represent to your organization and who is responsible for what when a breach happens. As a side note, many vendor contracts don’t even require the vendor to tell their customer if they are hacked or pay a ransom.
And, this is not a one-time activity. You have to periodically rinse and repeat.
In this case, it also looks like Twilio/Okta’s customers may have played a role in responding the the credential requests. I don’t think Okta normally requests credentials this way because the way it is typically implemented, you log on to your corporate network and that network shares your information with Okta.
While Okta, Twilio or the researchers have not shared the names of the companies that were compromised, the researchers said they were well known companies. A list that TechCrunch saw including 13 in financial services, 7 retail giants and 2 video game companies. That leaves more than a hundred unaccounted for, even at this level.
If you think your vendor cyber risk management program could use a little bit of tuning up, please contact us. Likewise if you need help with employee training.
Credit: TechCrunch