Welcome to Twilio's Trust Center, a reflection of our unwavering commitment to secure communications and the embodiment of the Twilio Magic. Our values define us, guiding how we work together to meet challenges and innovate. As we strive to unlock the imagination of builders and stand as the customer layer for the internet, this repository of information and documentation offers a transparent view into our security endeavors. Every call, message, or video chat made through our platform is a testament to our mission: providing simple tools to power engaging interactions with global reach and straightforward pricing. By fostering trust with you, we empower you to build deeper connections with your customers, all while staying true to the principles that make us who we are.
Twilio SendGrid recently discovered bad actors sent phishing emails impersonating Twilio Sendgrid containing fake SendGrid login links that may have led to those accounts being compromised.
What We’re Doing
As part of Twilio’s commitment to maintaining strong security practices, we have broken all known associated links related to this attack; while these links may be clickable, they are non-functional and may return a 404 Not Found error. Additionally, our teams are running forensics and will continue to investigate these phishing attacks and associated activity.
What You Should Do
Please remain vigilant and do not click on links from unexpected sources. Always verify the sender's identity before engaging with any message that contains links to ensure your online safety.
You may also want to take the following steps to ensure your account is secure:
- Reset Your Password and Set Up Two-Factor Authentication
- Cycle your account’s API keys
- Set up IP Access Management (if applicable)
- Review Twilio’s 10 Must-Follow Email Security Best Practices
- Review, update, and verify your teammates in your SendGrid account
- Review computers for malware and run anti-virus/anti-malware software
If you discover fraudulent content or links that were sent by a SendGrid customer, please report it to our team by forwarding it to abuse@sendgrid.com.
The Twilio Security Team recently detected that a threat actor was able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated API endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests.
There is no evidence of a breach of Twilio’s systems or other sensitive data.
Key Points:
- Twilio did not leak the bulk list of phone numbers. The threat actor tested millions of phone numbers to identify numbers associated with Authy accounts.
- They bypassed our protections using multiple IP addresses.
- The affected API endpoint is used exclusively by the Authy app during device registration and not by business customers. The API is now secure and does not allow requests from unvalidated mobile devices.
Action Required:
- Update your Authy app: Please update your Authy app to the latest Android and iOS app versions to receive the latest security updates.
- Stay vigilant: Although your Authy account is secure, threat actors might use associated phone numbers for phishing and smishing attacks. Be extra cautious and verify the legitimacy of any texts you receive.
Additional Resources:
If you need help using this Trust Center, please contact us.