.png)
Twilio Smishing Breach 2022
Breach Summary
The Twilio breach of 2022 is the most documented example of smishing as a corporate attack vector. Attackers sent SMS messages to Twilio employees impersonating IT, directing them to phishing pages that stole credentials. The breach cascaded to Twilio customers including Signal and Authy, demonstrating how a communications platform breach amplifies impact across the companies that depend on it.
What Happened
Twilio disclosed the breach in August 2022, confirming that smishing attacks against employees had enabled unauthorized access to customer data. A coordinated investigation with other affected companies identified a threat actor group dubbed '0ktapus' that had simultaneously targeted dozens of technology companies with similar smishing campaigns, collectively compromising over 100 organizations. Cloudflare was also targeted but successfully defended using hardware security keys.
Attack Vector Detail
The attackers sent SMS messages to current and former Twilio employees claiming their passwords had expired or their schedules had changed, directing them to convincing Twilio SSO phishing pages. Multiple employees entered their credentials. The attackers used those credentials to access Twilio's internal customer support tools, gaining access to customer account data for a limited number of Twilio customers.
Among the affected customers was Authy, Twilio's two-factor authentication app, where the attackers accessed phone numbers associated with Authy accounts. Signal disclosed that the breach allowed the attackers to re-register Signal numbers for approximately 1,900 users, potentially intercepting SMS verification codes for those accounts.
Breach Pattern Timeline
June 2022
Initial smishing campaign begins targeting Twilio employees. Attackers — later attributed to '0ktapus' / Scattered Spider — send SMS texts impersonating Twilio IT, directing recipients to phishing pages mimicking Twilio's Okta SSO login.
August 4, 2022
Twilio discovers and confirms the breach. Some Twilio employees had entered credentials into the phishing pages, providing attackers access to Twilio's internal systems.
August 7, 2022
Twilio publicly discloses: attackers accessed data of approximately 125 customer accounts. Among the affected: Signal Messenger, which uses Twilio for SMS verification.
August 15, 2022
Signal discloses to its users that approximately 1,900 Signal accounts may have had attackers register their phone numbers to a different device. The attackers' goal: hijack Signal accounts of high-value targets.
August-September 2022
Reporting reveals 0ktapus / Scattered Spider also compromised Authy (also owned by Twilio), MailChimp, Cloudflare (which detected and blocked the attack), DigitalOcean, and dozens of other organizations through identical smishing tactics.
October 2022
Twilio discloses additional access attempt in late June 2022 (separate from August event), affecting a smaller subset of customers.
November 2022
Twilio confirms full scope: 209 customer organizations affected by August event + 93 by June event. Attribution to Scattered Spider / UNC3944 confirmed.
2023-2024
Scattered Spider continues operations against MGM Resorts, Caesars Entertainment, and others. Becomes one of the most consequential threat actor groups of 2023-2024.
2024-2026
Twilio implements phishing-resistant MFA, enhanced employee training, and SOC monitoring for credential-based attacks. The Twilio breach is now standard reference in CISO training as an example of how SMS-based MFA can be undermined and how single-vendor compromise cascades downstream.
Total impact: ~302 customer organizations affected (downstream including Signal, Authy, Cloudflare, MailChimp, DigitalOcean, others), foundational precedent for SMS-based MFA limitations, smishing-driven enterprise breaches, and Scattered Spider threat actor profile.
Executive Lessons
The Twilio breach demonstrated that SMS-based MFA is not a sufficient authentication control for privileged access — the attackers were able to bypass it by compromising the SMS delivery infrastructure. The breach also established that customer-facing identity and authentication vendors are high-value attack targets because their compromise can cascade to their customers' users. Twilio-dependent services including Authy, Signal, and Okta were all affected.
Related Reading
Private Equity Implications
For PE portfolio companies using Twilio, Authy, or similar SMS-based authentication platforms, the Twilio breach reinforced that authentication infrastructure vendor risk must be assessed as a component of identity security posture. Phishing-resistant MFA — FIDO2/passkeys — eliminates SMS interception risk at the authentication layer.
How Cloudskope Can Help
Frequently Asked Questions
What was the Twilio breach of 2022?
In August 2022, Twilio disclosed that attackers had used SMS phishing (smishing) to compromise employee credentials and access internal systems. The compromise affected approximately 209 Twilio customers and gave attackers access to Authy two-factor authentication accounts for an estimated 75 million users. The breach was attributed to threat actor Scatter Swine, an earlier iteration of what became Scattered Spider.
How did the Twilio attack happen?
Attackers sent SMS phishing messages to Twilio employees impersonating Twilio's IT department, directing employees to fake Twilio sign-in pages that captured credentials and one-time MFA codes. Multiple employees entered credentials into the phishing infrastructure. Attackers used those credentials to access Twilio's internal systems and pivot to customer-facing Twilio services including Authy.
What was the impact on Authy users?
Authy is a two-factor authentication app with approximately 75 million users. The Twilio breach exposed phone numbers for those users — not the 2FA secrets themselves, but the phone numbers associated with Authy accounts. The phone number exposure enabled subsequent SIM swap attacks against affected users. A separate 2024 disclosure revealed that the breach also exposed additional Authy data than initially acknowledged.
Who is Scatter Swine?
Scatter Swine is the threat actor name initially assigned to the group that compromised Twilio. Subsequent research connected the group to other 2022 attacks against Cloudflare, MailChimp, and dozens of other organizations using identical smishing methodology. The group ultimately evolved into what is now tracked as Scattered Spider — the same actor responsible for MGM, Caesars, and many other 2023-2024 attacks.
What did Twilio establish about SMS phishing?
Twilio demonstrated that SMS phishing combined with same-session MFA capture defeats traditional MFA implementations. The incident accelerated industry adoption of phishing-resistant MFA (FIDO2 hardware keys, platform authenticators), and number-matching MFA, which require the user to enter a number displayed by the authenticating application — providing protection against same-session credential and OTP capture.