A tale of two breaches: Comparing Twilio and Slack’s responses

David Strom 15 Aug 2022

The manner in which these two organizations responded to their respective breaches is instructive.

We recently learned about major security breaches at two tech companies, Twilio and Slack. The manner in which these two organizations responded is instructive, and since both of them published statements explaining what happened, it’s interesting to observe the differences in their communication.

How did Twilio respond to its recent breach?

Out of the two companies affected by recent breaches, Twilio's response was the better of the two. Their messaging featured:

  • An honest assessment of how the incident happened (in this case, it was due to phishing lures that tricked Twilio staffers into sharing their sign-on credentials and MFA codes on impersonated web pages)

  • Plenty of details and specifics about the breach, not mincing any words

  • Timely notification (the breach happened a few days prior to the blog post’s publishing)

  • Specifics about the mitigating actions taken, including the fact that the company is in the process of individually notifying impacted customers

These four elements should be in any breach notification. Still, Twilio’s post wasn’t perfect. They did not disclose how many customers were impacted – some analysts have said that this could reach more than 150,000 organizations -- or what types of data may have been accessed. They also labeled the phishing attack and their security methods “sophisticated”, which some analysts took issue with. Several mentioned that Twilio owns Authy, which provides MFA tools, as an ironic detail indicating that they should have done a better job.

Cloudfare announced that 76 of their employees had experienced a similar attack in the same time frame but didn’t fall for it. One telltale sign: the phishing SMS messages originated from a newly-minted domain that was less than an hour old.

Attackers gained access to Twilio’s customer support console. From there, they were able to reveal details of about 1,900 users to verify Signal accounts (and search for three numbers and successfully re-register one account via Twilio), according to an update published by Signal.

Now, let's turn to Slack's response.

  • First off, it wasn’t timely. Weeks went by between the actual breach and last week’s public notice, when compared to a few days for Twilio’s response.

  • It was very short on the specifics of the breach, other than the cause was a bug in their software which was discovered in July by an independent researcher and immediately fixed. Furthermore, this bug was relevant for the past five or so years. They did say it was unlikely that any actual data was compromised, but this wasn’t supported with any specifics.

  • Some of its users were forced to reset their passwords. The company stated this was a small population of just 0.5% of the total user base, or about 100,000 users.

What to do to prevent these kinds of attacks in the future

First, don’t trust any embedded URL in a text message, especially if it is security related. Go directly to your employer’s page to direct any action. Of course, this places a burden of timeliness on your employer to update such a page.

Be mindful of requests to enter MFA codes if you didn’t login anywhere. Don’t respond to these messages either. This assumes that you're using MFA to protect your most sensitive logins.

Next, take care about publishing your corporate email address. Do your social network pages show this to the public, or just limit it to your personal network?

Don’t forget to carefully vet any API authentication access and applications that you have authorized.

Finally, as Cloudflare suggests, having “a paranoid but blame-free culture is critical for security". The company has noted that the three employees who fell for the phishing scam were not reprimanded. We are human, after all.

--> -->