The number of companies caught up in recent hacks keeps growing

In recent weeks, security provider Twilio revealed it was breached by well resourced phishers, who used their access to steal data from 163 of its customers. Security firm Group-IB, meanwhile said that the same phishers who hit Twilio breached at least 136 companies in similar advanced attacks.

Three companies — Twilio-owned Authy, password manager LastPass, and food delivery network DoorDash in recent days have all disclosed data breaches that appear to be related to the same activity. Authentication service Okta and secure messenger provider Signal, both recently said their data was accessed as a result of the Twilio breach.

Group-IB said on Thursday that at least 136 companies were phished by the same threat actor as Twilio. DoorDash is one of them, a company representative has told TechCrunch.

Uncommonly resourceful

The compromises of Authy and LastPass are the most concerning of the new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained in previous breaches, these tokens may have been the only things preventing the takeover of more accounts. Authy said that the threat actor used its access to log in to only 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who those accounts belong to, that could be very bad. Authy said it has since removed unauthorized devices from those accounts.

LastPass said a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment. From there, the threat actor “took portions of source code and some proprietary LastPass technical information.” LastPass said that master passwords, encrypted passwords and other data stored in customer accounts, and customers’ personal information weren’t affected. While the LastPass data known to be obtained isn’t especially sensitive, any breach involving a major password management provider is serious, given the wealth of data it stores.

DoorDash also said that an undisclosed number of customers had their names, email addresses, delivery addresses, phone numbers, and partial payment card numbers stolen by the same threat actor, which some are calling Scatter Swine. The threat actor obtained names, phone numbers, and email addresses from an undisclosed number of DoorDash contractors.

As already reported, the initial phishing attack on Twilio was well-planned and executed with surgical precision. The threat actors had private phone numbers of employees, more than 169 counterfeit domains mimicking Okta and other security providers, and the ability to bypass 2FA protections that used one-time passwords.

The threat actor’s ability to leverage data obtained in one breach to wage supply-chain attacks against the victims’ customers—and its ability to remain undetected since March—demonstrates its resourcefulness and skill. It’s not uncommon for companies that announce breaches to update their disclosures in the days or weeks following to include additional information that was compromised. It won’t be surprising if one or more victims here do the same.

If there’s a lesson in this whole mess, it’s that not all 2FA is equal. One-time passwords sent by SMS or generated by authenticator apps are as phishable as passwords are, and that’s what allowed the threat actors to bypass this last form of defense against account takeovers.

One company that was targeted but didn’t fall victim was Cloudflare. The reason: Cloudflare employees relied on 2FA that used physical keys such as Yubikeys, which along with other FIDO2 compliant forms of 2FA, can’t be phished. Companies spouting the tired mantra that they take security seriously shouldn’t be taken seriously unless phishing-resistant 2FA is a staple of their digital hygiene.

This post has been rewritten throughout to correct the relationship of the new breaches to the previously disclosed compromise of Twilio.