.png)
Twilio Smishing Breach 2022
Breach Summary
The Twilio breach of 2022 is the most documented example of smishing as a corporate attack vector. Attackers sent SMS messages to Twilio employees impersonating IT, directing them to phishing pages that stole credentials. The breach cascaded to Twilio customers including Signal and Authy, demonstrating how a communications platform breach amplifies impact across the companies that depend on it.
What Happened
Twilio disclosed the breach in August 2022, confirming that smishing attacks against employees had enabled unauthorized access to customer data. A coordinated investigation with other affected companies identified a threat actor group dubbed '0ktapus' that had simultaneously targeted dozens of technology companies with similar smishing campaigns, collectively compromising over 100 organizations. Cloudflare was also targeted but successfully defended using hardware security keys.
Attack Vector Detail
The attackers sent SMS messages to current and former Twilio employees claiming their passwords had expired or their schedules had changed, directing them to convincing Twilio SSO phishing pages. Multiple employees entered their credentials. The attackers used those credentials to access Twilio's internal customer support tools, gaining access to customer account data for a limited number of Twilio customers.
Among the affected customers was Authy, Twilio's two-factor authentication app, where the attackers accessed phone numbers associated with Authy accounts. Signal disclosed that the breach allowed the attackers to re-register Signal numbers for approximately 1,900 users, potentially intercepting SMS verification codes for those accounts.
Breach Pattern Timeline
June 2022
Initial smishing campaign begins targeting Twilio employees. Attackers — later attributed to '0ktapus' / Scattered Spider — send SMS texts impersonating Twilio IT, directing recipients to phishing pages mimicking Twilio's Okta SSO login.
August 4, 2022
Twilio discovers and confirms the breach. Some Twilio employees had entered credentials into the phishing pages, providing attackers access to Twilio's internal systems.
August 7, 2022
Twilio publicly discloses: attackers accessed data of approximately 125 customer accounts. Among the affected: Signal Messenger, which uses Twilio for SMS verification.
August 15, 2022
Signal discloses to its users that approximately 1,900 Signal accounts may have had attackers register their phone numbers to a different device. The attackers' goal: hijack Signal accounts of high-value targets.
August-September 2022
Reporting reveals 0ktapus / Scattered Spider also compromised Authy (also owned by Twilio), MailChimp, Cloudflare (which detected and blocked the attack), DigitalOcean, and dozens of other organizations through identical smishing tactics.
October 2022
Twilio discloses additional access attempt in late June 2022 (separate from August event), affecting a smaller subset of customers.
November 2022
Twilio confirms full scope: 209 customer organizations affected by August event + 93 by June event. Attribution to Scattered Spider / UNC3944 confirmed.
2023-2024
Scattered Spider continues operations against MGM Resorts, Caesars Entertainment, and others. Becomes one of the most consequential threat actor groups of 2023-2024.
2024-2026
Twilio implements phishing-resistant MFA, enhanced employee training, and SOC monitoring for credential-based attacks. The Twilio breach is now standard reference in CISO training as an example of how SMS-based MFA can be undermined and how single-vendor compromise cascades downstream.
Total impact: ~302 customer organizations affected (downstream including Signal, Authy, Cloudflare, MailChimp, DigitalOcean, others), foundational precedent for SMS-based MFA limitations, smishing-driven enterprise breaches, and Scattered Spider threat actor profile.
Executive Lessons
The Twilio breach demonstrated that SMS-based MFA is not a sufficient authentication control for privileged access — the attackers were able to bypass it by compromising the SMS delivery infrastructure. The breach also established that customer-facing identity and authentication vendors are high-value attack targets because their compromise can cascade to their customers' users. Twilio-dependent services including Authy, Signal, and Okta were all affected.
Related Reading
Private Equity Implications
For PE portfolio companies using Twilio, Authy, or similar SMS-based authentication platforms, the Twilio breach reinforced that authentication infrastructure vendor risk must be assessed as a component of identity security posture. Phishing-resistant MFA — FIDO2/passkeys — eliminates SMS interception risk at the authentication layer.