The manner in which these two organizations responded to their respective breaches is instructive.
We recently learned about major security breaches at two tech companies, Twilio and Slack. The manner in which these two organizations responded is instructive, and since both of them published statements explaining what happened, it’s interesting to observe the differences in their communication.
Out of the two companies affected by recent breaches, Twilio's response was the better of the two. Their messaging featured:
These four elements should be in any breach notification. Still, Twilio’s post wasn’t perfect. They did not disclose how many customers were impacted – some analysts have said that this could reach more than 150,000 organizations -- or what types of data may have been accessed. They also labeled the phishing attack and their security methods “sophisticated”, which some analysts took issue with. Several mentioned that Twilio owns Authy, which provides MFA tools, as an ironic detail indicating that they should have done a better job.
Cloudfare announced that 76 of their employees had experienced a similar attack in the same time frame but didn’t fall for it. One telltale sign: the phishing SMS messages originated from a newly-minted domain that was less than an hour old.
Attackers gained access to Twilio’s customer support console. From there, they were able to reveal details of about 1,900 users to verify Signal accounts (and search for three numbers and successfully re-register one account via Twilio), according to an update published by Signal.
Now, let's turn to Slack's response.
First, don’t trust any embedded URL in a text message, especially if it is security related. Go directly to your employer’s page to direct any action. Of course, this places a burden of timeliness on your employer to update such a page.
Be mindful of requests to enter MFA codes if you didn’t login anywhere. Don’t respond to these messages either. This assumes that you're using MFA to protect your most sensitive logins.
Next, take care about publishing your corporate email address. Do your social network pages show this to the public, or just limit it to your personal network?
Don’t forget to carefully vet any API authentication access and applications that you have authorized.
Finally, as Cloudflare suggests, having “a paranoid but blame-free culture is critical for security". The company has noted that the three employees who fell for the phishing scam were not reprimanded. We are human, after all.
The promise of a free movie download led thousands of people into unintended malware.
Avast recently discovered a series of malicious browser extensions on the Chrome Web Store that are spreading adware and hijacked search results.