Scatter Swine Scams 130 Companies

Hackers Hijack Twilio, Mailchimp, Cloudfare and Kaviyo

Twilio recently revealed a massive data breach carried out by hackers aligned to the Scatter Swine or 0ktapus gang. However, cyber security analysts revealed the recent hack was a part of a much larger hacking attack done by the purported criminals.

The hackers were tracked to at least 130 organizations mostly in the United States, inclusive of MailChimp, Twilio, Klaviyo, and Cloudflare. The extensive hacking campaign triggered Twilio to update its database with added security, according to the company.

Analytical reports documented that the Scatter Swine or 0ktapus hackers August hack followed the June 2022 cyber security breach, traced to the same gang. In the earlier attack, as reported by Twilio, a cloud communications service, describes the incident as a “brief security incident”.

However, the June 29 hacking incident led to the theft of credentials, and contact information for some Twilio customers, as revealed by the company’s spokesperson. And as reported, the June attack was identified within 12 hours and eradicated by its cyber security team within two days, thus, preventing further infiltration by the threat actors.

Twilio Phishing Scam

Upon discovering the first breach, customers whose information was impacted by the incident were notified on July 2, 2022. In addition, Twilio reports the recent August breach gave the hackers access to the data of 209 customers and 93 Authy users. Their investigation shows that the criminals had gained entrance into its private database after breaching some internal non-production systems, by using SMS phishing credentials stolen from its employees.

However, according to released statements, only 209 customers were affected – out of more than 270,000 customers. In addition, from the company’s approximate 75 million Authy clients, the hack affected just a small contingent of 93 users.

Although the hacking incident on August 7, was quickly blocked by Twilio’s security team, it has since been revealed that the hackers accessed its database for two additional days.

A company official noted that the last unauthorized activity was observed on August 9, 2022. The coordinated hacking campaign on Twilio’s network occurs after hackers used employees’ credentials stolen in an SMS phishing scam.

FIDO2 Blocks Hackers

By gaining access, the hackers stole Twilio’s customers’ data via administrative portals and Authy 2FA accounts. The investigation also shows that the threat actors registered their own devices that gave them additional temporary access tokens.

After the cyber security breach, Cloudflare reported that the hackers that targeted its platform failed in their attempt to breach its systems. This was possible with the defense of its FIDO2 security hardware, which blocked their login attempts.

The company also revealed the FIDO2-compliant hardware security keys were installed after a previous hack that victimized its system. Reportedly, an SMS phishing attack hijacks the private credentials of its employees.

To prevent future hacking attacks on its platform, Twilio says its IT security team has reset the credentials of compromised employee user accounts. In addition, a new set of distributed FIDO2 tokens was added to further ward off new attacks by criminal hackers.