Background

As the Authy incident has propagated across the industry since the 1st July, I’ve received quite a few emails on this that corroborate the incident’s origins and the organizations involved. The Verge did a nice summary on the situation, with 33 million numbers exposes.

The ShinyHunters hackers announced on the relaunched BreachForums website in late June that they were leaking 33 million random phone numbers associated with Twilio’s two-factor authentication app Authy. Not only Chaos Computing Club (CCC), but also the hacker group ShinyHunters, a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in data breaches against AT&T and Microsoft.

Details

The release of the customer data wasn’t Twilio directly, it was one of their partners, iBasis and their partner IdentifyMobile who exposed certain SMS-related data sent by iBasis publicly on the internet that included personal data. This included personal data and non-personal data (such as data related to marketing campaigns) was initially accessed by a security research group while it was publicly exposed by IdentifyMobile.

The immediate learning is Twilio needs to get into the guts of its partners. iBasis has been in / out of SMS. Some of the consultants iBasis used in the past I’d never do business with one in particular I consider a serial crook.

I’d assumed IdentifyMobile was no longer in business years ago as their website is dated 2015. Some of the 10 people on Linkedin associated with IdentifyMobile also work with other organizations. I’d assumed a zombie corporation, clearly I was wrong.

Twilio relies on numerous partners to maximize deliverability to their final destinations. Twilio was notified that iBasis had used IdentifyMobile who inadvertently enabled public access on an AWS S3 Bucket during development work.

Information contained in this bucket was made public from May 10-15, 2024, and accessed between May 13-14, 2024. Based on a joint investigation between IdentifyMobile and Amazon AWS, Twilio learned that a portion of this data was accessed by the Chaos Computing Club (CCC), and Black Hat hackers have also accessed the data. All the timings appear to line up.

CCC is a security research group that identifies security issues; CCC has confirmed that they are not holding any data downloaded from the AWS S3 Bucket. While Twilio continues collaborating with these companies to bring the most accurate information regarding this exposure, the portion of data exposed by IdentifyMobile related to SMS sent between January 1, 2024 and May 15, 2024, and included:

• Mobile number
• SMS message content
• SMS Sender ID
• SMS Timestamp

What has Twilio done so far?

Twilio initiated its incident response process to investigate this matter.

Twilio escalated this issue to the iBasis executive team; subsequently, they’ve done an analysis on the data logs that were compromised. Twilio has ceased sending traffic to iBasis where possible.

iBasis informed Twilio that it has stopped routing with IdentifyMobile.

Twilio will continue working with iBasis / IdentifyMobile to get any additional details that may arise from this incident.

Summary

There are too many layers in the messaging onion. iBasis was in, then out, then back in SMS. I’d assumed IdentifyMobile was no longer in business given the state of its website and the few people on Linkedin associated with the organization, that was wrong. iBasis were using them.

Public access on an AWS S3 Bucket during development work happens, I’ve seen it happen in the past, it’s rare. But the scale of this booboo is massive, 33 million.

Chaos Computer Club (CCC) is Europe’s largest association of hackers with 7,700 registered members. Founded in 1981, the association is incorporated as an eingetragener Verein in Germany, with local chapters (called Erfa-Kreise) in various cities in Germany and the surrounding countries, particularly where there are German-speaking communities.

Members of the CCC have demonstrated and publicized a number of important information security problems. The CCC frequently criticizes new legislation and products with weak information security which endanger citizen rights or the privacy of users. They’re good guys.

Someone made a mistake at IdentifyMobile, the good guys (CCC) caught it, but also the blackhats, this is typical. The complete development process must be reviewed, as well as the people who’ve advised them. Twilio needs to place security and compliance above price. I’d have questioned what services IdentifyMobile was providing for iBasis, as well as their development processes. I would have raised a concern on using iBasis in the first place given some of the people involved in the past 4 years and its lack of commitment to messaging.

As a postscript the CEO of Twilio on the 1st July sold 11,241 shares at $56.29. That timing is unfortunate given the ShinyHunters, a black-hat criminal hacker group, announcement in late June the Authy breach.