top | item 40864060

Twilio Notice of Security Incident with 3rd Party Carrier

6 points| cuu508 | 1 year ago | reply

I received this in email:

---

[Alert] Notice of Security Incident With 3rd Party Carrier

You are receiving this email because Twilio has been notified that IdentifyMobile, a downstream carrier of our backup carrier iBasis, inadvertently exposed certain SMS-related data publicly on the internet. We conducted a thorough investigation in partnership with iBasis, and based on our findings, we believe that none of your messages containing personal data were exposed. While we have taken every measure to verify this, we cannot completely rule out the possibility of personal data exposure. Some non-personal data, such as message bodies without login tokens or marketing campaigns that don’t contain personal data, may have been exposed.

Here's what you need to know:

• IdentifyMobile, a downstream carrier used by iBasis (one of Twilio’s backup carriers) to route messages to their final destinations, made an AWS S3 bucket public from May 10-15, 2024. The bucket contained message-related data sent between January 1, 2024, and May 15, 2024.

• Chaos Computing Club (CCC), a known security research group, accessed some data but confirmed they are not holding any data downloaded from the AWS S3 Bucket.

• No Twilio systems were compromised as part of this exposure.

Actions we've taken:

• Started an investigation and escalated the issue to iBasis.

• Stopped traffic to iBasis where possible; iBasis ceased routing with IdentifyMobile.

• Continuing to work with carriers to get more details.

What you can do:

We recommend reviewing the SMS traffic you sent between January 1, 2024, and May 15, 2024, discussing the implications of an exposure with your internal team(s) and deciding if you need to engage with impacted individuals. If you need additional information regarding this incident, we are here to support you throughout this situation.

We apologize for any inconvenience and appreciate your understanding.

Sincerely,

Team Twilio

6 comments

[+] mitio|1 year ago|reply

Thanks for sharing. We also got this at our company. We've reached out to their support for more details. Support have been unhelpful so far, providing extremely generic answers.

Will appreciate a comment if someone has or gets more information.

[+] sleepyhead|1 year ago|reply

I will also ask their support:

1) Which countries it applies to. 2) What is their current and past policy for carriers storing message data.

[+] hacka22|1 year ago|reply

more background: https://www.ccc.de/en/updates/2024/2fa-sms

IdentifyMobile, a provider of 2FA-SMS, shared the sent one-time passwords in real-time on the internet. The CCC happened to be in the right place at the right time and accessed the data. It was sufficient to guess the subdomain "idmdatastore". Besides SMS content, recipients' phone numbers, sender names, and sometimes other account information were visible.

[+] sleepyhead|1 year ago|reply

The email is unfortunately lacking in some details. Does this include all messages sent through Twilio or just in the country of this provider?

And why is this carrier storing messages on an S3 bucket? I don't see why they should store messages at all after the message has been processed, storing metadata should be sufficient for their records. It would be definitively be problematic according to GDPR, if IdentifyMobile is a Briths company then similar privacy laws should be in place?

[+] unknown|1 year ago|reply

[deleted]