Lessons from the Twilio Breach: Securing SaaS Applications Against Modern Threats

Another recent security breach has made organizations think yet again about SaaS apps they may be using, even for security-related tasks. Just a few days ago, Twilio confirmed a breach related to its Authy two-factor authentication 2FA app. Due to the breach, 33 million users’ phone numbers were exposed. We will take a look at the breach itself, how it happened, and lessons learned for organizations using modern SaaS apps.

Recently, Twilio confirmed a significant data breach impacting its Authy two-factor authentication (2FA) app, exposing the phone numbers of 33 million users. This breach occurred due to an unsecured API endpoint that allowed unauthorized access to these phone numbers. While no other sensitive data was reported as compromised, this exposure increases the risk of phishing and smishing attacks targeting Authy users​.

What happened in the Twilio Breach?

Hacker group ShinyHunters claimed responsibility for the breach on the BreachForums website. The group noted that 33 million phone numbers had been leaked. They were able to use an unsecured API endpoint that allowed the threat actors to have unauthorized access to the phone numbers. It appears that no other sensitive data was reported as stolen. 

Twilio responded quickly, locked down the compromised endpoint, and asked its users to update their Authy apps to the latest version to help mitigate potential security threats. 

The implications of the attack

The stolen phone numbers are valid and give the attackers numbers to use in phishing or smishing attacks, as well as social engineering attacks. Most users use their phones as a personal connection to most websites, and these are often used for 2FA processes, etc. 

It places the valid users and their phone numbers in the sights of attackers as they will obviously attempt to exploit the treasure trove of numbers for various types of attacks.

Lessons for Organizations

Organizations can learn many lessons from the recent Twilio breach. With web APIs used more than ever for programmatic interaction, they must be secured appropriately and audited for vulnerabilities. 

IT and SecOps teams must stay alert to potential security flaws and zero-day vulnerabilities in third-party applications since these can become compromised, as the recent Twilio breach demonstrates.

Note the following key takeaways:

1. Regular Risk Assessments – Regular security audits and risk assessments are a must. Security audits and risk assessments must include audits of all third-party apps and APIs used. It can be challenging, but proper audits help identify and remediate vulnerabilities before they can be exploited.
2. API Security Best Practices – APIs are a prime target of threat actors. Organizations must implement strict API security best practices. Proper API security should focus on authentication, authorization, and encryption to help prevent unauthorized access.
3. User Awareness and Training – Users need to be educated about the risks of phishing and smishing attacks, especially following breaches like what happened with Twilio. Training employees helps them recognize and respond appropriately to these types of threats and can significantly reduce the likelihood of a breach.
4. Deploy Security Solutions that use cybersecurity automation– Due to the sheer scope of today’s security vulnerabilities, the number of SaaS apps used, and the ineffectiveness of manual human efforts to properly assess all risks across all applications, organizations must utilize cybersecurity automation to perform automated risk assessments. It is the only way to stay ahead of vulnerabilities across the landscape of SaaS apps in the cloud. 

SpinOne SaaS Security Posture Management (SpinSPM)

Due to so many breaches and the high stakes at which organizations are now operating their business-critical infrastructure in the cloud, new security solutions are needed to keep pace and avoid the risk. SpinOne SaaS Security Posture Management (SpinSPM) provides multi-layered security for SaaS applications. 

Note the following key features:

Misconfiguration Management – SpinSPM helps organizations have visibility to misconfigurations, security drifts, and compliance breaches. It also provides automated detection and response.

Inventory & Visibility – It provides visibility and inventory of all cloud services. This visibility includes mobile apps, SaaS apps, and browser extensions that have access to Google Workspace and Microsoft 365. Admins can also understand who has access to these apps.

Assessment & Reassessment – SpinSPM continuously monitors the environment and provides ongoing risk assessments. These automated risk assessments use 15 risk factors to classify the risk of each app and browser extension to understand the risk to the business, security, and compliance.

Access Management – Admins can create an allowlist or blocklist for risky applications and browser extensions. These can be applied to everyone or in a granular way to specific organizational units.

Cybersecurity Automation – You can automate access management with granular security policies for monitoring alerting and then set the blocklist or allowlist for apps and browser extensions based on rules found in the policies.

Incident Response – It provides real-time notifications on detected incidents, including misconfigurations and risk score changes as these happen. Admins can also see these from a single dashboard where they can access advanced reporting and third-party integrations. Integrations include Splunk, ServiceNow, Jira, and Slack.  

Receive immediate, customizable notifications on detected incidents, misconfigurations, and risk score changes from a single dashboard. This includes advanced reporting and integrations with Splunk, ServiceNow, Jira, and Slack.

Cloud Application Security Risk Assessment Checklist

As a resource to help organizations understand the risks associated with SaaS apps and browser extensions used in their environments, Spin has created a checklist that uses the same criteria that Spin algorithms apply to protect client environments in the cloud. These have been divided into three categories (Business Operation, Security, and Compliance risks).

You can read the full cloud application security risk assessment checklist here: Cloud Application Security Risk Assessment Checklist 2024 

Let’s get an overview of what is contained in each of the three categories of the checklist and how these are evaluated.

Business Operation Risk

1. Number of Users: If an app or extension has a large user base and is in high demand with good performance, this is a positive indicator. However, the app’s age and specific business functions should also be considered.
2. User Ratings: High ratings generally indicate good performance and functionality. It’s also essential to consider the number of ratings.
3. Developer Reputation: What are the developer’s credentials and contact information? Reliable developers typically have a professional business domain and a reputable web presence.
4. Latest Release and Updates Frequency: How often is the app or extension updated? This would happen ideally monthly and would indicate active maintenance and security patching.
5. Category: Look at the app or extension category. Apps in categories like Business Tools, Productivity, and Communication pose higher risks due to their significant role in business operations.

Security Risk

1. SSL Certificate Status and Domain History: It is important to make sure an app’s website has an SSL certificate and a trustworthy domain history.
2. Known Vulnerabilities: When evaluated with NIST’s National Vulnerability Database to check for reported security issues, how do these measure up?
3. Scope of Permissions: Apps with read/write permissions present higher risks. Those with read-only access may be moderately risky.
4. Data Transmission Encryption: This type of encryption is vital for securely transmitting data. Apps that have questionable or unverified encryption should be considered less secure and more risky.
5. Known Breaches: Has the app had any breaches in the past? If so, what has been the response from the developer?
6. Domain Install/Individual Install: Domain installs are generally considered more secure and usually authorized by the IT department.

Compliance Risk

1. Privacy Policy: Does the app have a comprehensive privacy policy?
2. Compliance and Audit Reports: Check the developer’s website for compliance documentation.
3. Developer Jurisdiction: Apps from geolocations with strong data security laws, like those of the EU or US, are preferred.

Using strong cybersecurity tools like SpinSPM and evaluating apps and extensions based on the app security checklist, organizations can help protect their data and users from breaches. SpinOne’s App Protection features help protect critical data from vulnerabilities, misconfigurations, and risky apps and extensions.

For more information on protecting your organization with SpinOne, and if you would like to have a demo of SpinSPM, you can request a demo here: Request a Demo of SpinOne SaaS Data Protection Platform.