Comparison of Twilio and Slack breach responses
We recently learned of major security vulnerabilities at two technology companies, Twilio and Soft. The manner in which these two organizations responded is instructive, and since both issued statements explaining what happened, it is interesting to observe the differences in their communication.
How did Twilio react to his recent violation?
Of the two companies affected by the recent breaches, Twillio’s response was the better of the two. Their messages included:
- An honest assessment of how the incident happened (in this case it was due to phishing lures who tricked Twilio staff members into sharing their login credentials and MFA codes on spoofed web pages)
- Lots of details and details about the breach, without mincing words
- Timely notification (the breach happened a few days before the blog post was published)
- Details of the mitigation measures taken, including that the company is in the process of proceeding individually notify affected customers
These four elements should be included in any breach notification. Still, Twilio’s message wasn’t perfect. They did not reveal how many customers were affected — some analysts said it could reach more than 150,000 organizations — or what kinds of data may have been accessed. They also called the phishing attack and their security methods “sophisticated”, which sSome analysts have disputed. Several mentioned that Twilio owns Authy, which provides MFA tools, as a tongue-in-cheek detail that they should have done a better job.
Cloudfare announcement that 76 of their employees had suffered a similar attack in the same period of time but did not fall into the trap. A telltale sign: Phishing SMS is from a newly created domain that is less than an hour old.
Now let’s go to Slack’s answer.
- First of all, it was not timely. Weeks passed between the actual breach and last week’s public notice, compared to days for Twilio’s response.
- He was very brief on the details of the breach, other than the fact that the cause was a bug in their software that was discovered in July by an independent researcher and immediately fixed. Also, this bug had been relevant for about five years. They said it was unlikely that any real data was compromised, but this was not backed up with any details.
- Some of its users were forced to reset their passwords. The company said it was a small population of just 0.5% of the total user base, or about 100,000 users.
What can be done to prevent such attacks in the future?
First, don’t trust any URL embedded in a text message, especially if it’s security related. Go directly to your employer’s page to direct any action. Of course, this places a burden on your employer to be quick to update such a page.
Watch out for requests to enter MFA codes if you haven’t logged in anywhere. Do not respond to these messages either. This assumes that you use MFA to protect your most sensitive credentials.
Next, be sure to publish your work email address. Do your social media pages show it to the public, or just limit it to your personal network?
Remember to carefully check any API authentication access and apps that you have authorized.
Finally, as Cloudflare suggests, having “a paranoid but blameless culture is essential for safety”. The company noted that the three employees who fell for the phishing scam were not reprimanded. We are human, after all.