Monday, October 3, 2022
Home TECH The number of companies caught in recent attacks continues to grow

The number of companies caught in recent attacks continues to grow

fake images

In recent weeks, security provider Twilio revealed that it was breached by deep-pocketed phishers, who used its access to steal data from 163 of its customers. Meanwhile, the security firm Group-IB said the same phishers that targeted Twilio have breached at least 136 companies in similar advanced attacks.

Three companies — Twilio-owned Authy, password manager LastPass, and food delivery network DoorDash — have in recent days revealed data leaks that appear to be related to the same activity. authentication service eighth and secure messaging provider Signal, both recently said their data was accessed as a result of the Twilio breach.

Group-IB said on Thursday that at least 136 companies were spoofed by the same threat actor as Twilio. DoorDash is one of them, a representative of the company. has said TechCrunch.

extraordinarily clever

The Authy and LastPass compromises are the most concerning of the new revelations. Authy says that it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor already obtained in previous breaches, these tokens may have been the only thing that prevented further accounts from being taken over. Authy said the threat actor used his access to log into just 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who those accounts belong to, that could be very bad. Authy said that he has since removed unauthorized devices from those accounts.

LastPass said a threat actor gained unauthorized access through a single compromised developer account to parts of the password manager development environment. From there, the threat actor “took parts of the source code and some proprietary technical information from LastPass.” LastPass said that master passwords, encrypted passwords and other data stored in customer accounts and customer personal information were not affected. While the LastPass data that is known to be obtained is not particularly sensitive, any breach involving a major password management provider is serious, given the vast amount of data it stores.

So DoorDash said that an undisclosed number of customers had their names, email addresses, delivery addresses, phone numbers, and partial payment card numbers stolen by the same threat actor, who some call Scatter Swine. The threat actor obtained names, phone numbers, and email addresses from an undisclosed number of DoorDash contractors.

As previously reported, the initial phishing attack on Twilio was well planned and executed with surgical precision. Threat actors had private employee phone numbers, more than 169 spoofed domains mimicking Okta and other security providers, and the ability to bypass 2FA protections that used one-time passwords.

The threat actor’s ability to leverage data obtained in a breach to conduct supply chain attacks against victims’ customers, and its ability to remain undetected since March, demonstrates its ingenuity and skill. It is not uncommon for companies announcing breaches to update their disclosures in the following days or weeks to include additional information that was compromised. It won’t be surprising if one or more victims here do the same.

If there’s a lesson in all this mess, it’s that not all 2FAs are created equal. One-time passwords sent via SMS or generated by authenticator apps are just as much phishing as passwords, and that’s what allowed threat actors to bypass this latest form of defense against account takeover.

One company that was attacked but not a victim was Cloudflare. The reason: Cloudflare employees relied on 2FA using physical keys like Yubikeys, which along with other FIDO2-compliant forms of 2FA, cannot be phished. Companies spouting the tiresome mantra that they are serious about security should not be taken seriously unless phishing-resistant 2FA is a staple of their digital hygiene.

This post has been completely rewritten to correct the relationship of the new breaches to the previously disclosed Twilio compromise.

RELATED ARTICLES

19 Android Settings You Might Not Know About

if you are a typical smartphone user, you average almost five hours a day on your phone now. But beyond video and social...

‘Quordle’ Today: See Every ‘Quordle’ Answer & Suggestion For October 3rd

Welcome back to the work week. I'm sorry, but today's. Quordles it won't help you get back into a routine easily, because it's...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Progressive See extremism only elsewhere

The 9/11 elections in Sweden shocked intellectuals across the West. The Sweden Democrats, a nationalist-populist party founded in 1988 with neo-Nazi loyalties but...

Dr. Oz Closes in on Fetterman in Pennsylvania Senate Race: POLL

Republican candidate Dr. Mehmet Oz is narrowing the Democratic lieutenant's lead in the polls. government John Fetterman in the Pennsylvania Senate race, according...

In a new book, Nikki Haley criticizes the ‘hypocrisy’ of modern feminism

"Women fought for so long to have the freedom to make their own decisions," but now, every thought in their lives is "boxed in...