THE HACK THAT KEEPS ON GIVING
2FA provider Authy, password manager LastPass, and DoorDash all experienced breaches.
In recent weeks, security provider Twilio revealed it had been breached by well resourced phishers, who used their usage of steal data from 163 of its customers. Security firm Group-IB, meanwhile said that exactly the same phishers who hit Twilio breached at the very least 136 companies in similar advanced attacks.
Three companies — Twilio-owned Authy, password manager LastPass, and food delivery network DoorDash in recent days have all disclosed data breaches that seem to be related to exactly the same activity. Authentication service Okta and secure messenger provider Signal, both recently said their data was accessed due to the Twilio breach.
The compromises of Authy and LastPass will be the most concerning of the brand new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has recently obtained in previous breaches, these tokens might have been the only real things avoiding the takeover of more accounts. Authy said that the threat actor used its usage of get on only 93 individual accounts and enroll new devices which could receive one-time passwords. Based on who those accounts participate in, that may be very bad. Authy said it has since removed unauthorized devices from those accounts.
LastPass said a threat actor gained unauthorized access by way of a single compromised developer account to portions of the password manager’s development environment. From there, the threat actor “took portions of source code plus some proprietary LastPass technical information.” LastPass said that master passwords, encrypted passwords along with other data stored in customer accounts, and customers’ private information weren’t affected. As the LastPass data regarded as obtained isn’t especially sensitive, any breach involving a significant password management provider is serious, given the wealth of data it stores.
DoorDash also said an undisclosed amount of customers had their names, email addresses, delivery addresses, telephone numbers, and partial payment card numbers stolen by exactly the same threat actor, which some are calling Scatter Swine. The threat actor obtained names, telephone numbers, and email addresses from an undisclosed amount of DoorDash contractors.
As already reported, the original phishing attack on Twilio was well-planned and executed with surgical precision. The threat actors had private telephone numbers of employees, a lot more than 169 counterfeit domains mimicking Okta along with other security providers, and the capability to bypass 2FA protections which used one-time passwords.
The threat actor’s capability to leverage data obtained in a single breach to wage supply-chain attacks contrary to the victims’ customersand its capability to remain undetected since Marchdemonstrates its resourcefulness and skill. It isn’t uncommon for companies that announce breaches to update their disclosures in the times or weeks following to add additional information that has been compromised. It will not be surprising if a number of victims here do exactly the same.
If there is a lesson in this whole mess, it’s that not absolutely all 2FA is equal. One-time passwords sent by SMS or generated by authenticator apps are as phishable as passwords are, and that is what allowed the threat actors to bypass this last type of defense against account takeovers.
One company that has been targeted but didn’t fall victim was Cloudflare. The reason why: Cloudflare employees relied on 2FA which used physical keys such as for example Yubikeys, which and also other FIDO2 compliant types of 2FA, can not be phished. Companies spouting the tired mantra they take security seriously must not be taken seriously unless phishing-resistant 2FA is really a staple of these digital hygiene.
This post has been rewritten throughout to improve the partnership of the brand new breaches to the previously disclosed compromise of Twilio.