This week, Twilio — the company that essentially is the plumbing for SMS communications across thousands of apps — disclosed that attackers successfully phished their employees and gained access to internal systems. If you’re a developer who’s ever called twilio.messages.create(), this one should have your attention.
The breach didn’t exploit some clever zero-day. It was a well-crafted phishing campaign targeting Twilio employees with SMS messages that impersonated the company’s IT department. The messages directed employees to a fake login page, captured their credentials, and the attackers walked right in. Simple, effective, devastating.
The Irony of an SMS Company Being Phished via SMS#
There’s a painful irony here that’s hard to ignore. Twilio, the company that powers SMS-based two-factor authentication for a massive portion of the internet, was itself compromised through a text message attack. It’s like a locksmith getting their shop broken into because they left the key under the doormat.
The attackers reportedly accessed data for a limited number of customer accounts — Twilio says around 125 — but when your customer list includes companies like Okta, Signal, and countless other services, the blast radius extends far beyond what that number suggests. We’re looking at a supply chain attack where compromising one communications provider can cascade into dozens of downstream services.
I’ve been in this industry long enough to know that phishing is never truly “solved.” You can train employees endlessly, run simulations quarterly, and still someone will click on a convincing enough message. The question isn’t whether your people will fall for phishing — it’s what happens when they do.
SMS 2FA: The Security Theater We Keep Performing#
This breach is another nail in the coffin for SMS-based two-factor authentication. We’ve known for years that SMS is a weak second factor — SIM swapping, SS7 vulnerabilities, and now supply chain compromises of the SMS providers themselves. NIST deprecated SMS-based 2FA back in 2016, yet here we are in 2022 and it’s still the default for most services.
The problem is convenience. SMS is universal. Every phone can receive a text message. You don’t need to install an app, buy a hardware key, or understand what TOTP means. For product managers trying to balance security with user experience, SMS is the path of least resistance.
But “least resistance” is exactly what attackers are counting on. When the company providing your SMS 2FA gets breached, your second factor becomes your weakest factor.
If you’re building authentication flows today, please consider:
- TOTP apps (Google Authenticator, Authy) as the minimum standard
- WebAuthn/FIDO2 hardware keys for anything handling sensitive data
- Passkeys — the FIDO Alliance and platform vendors are pushing hard on these, and they might finally make phishing-resistant auth usable for normal humans
The Bigger Picture: Identity Provider Trust Chains#
What concerns me most about this breach isn’t the specific data that was accessed. It’s the pattern. We’re building increasingly complex trust chains where a handful of providers — Twilio for SMS, Okta for identity, Cloudflare for networking — form the foundation for thousands of applications.
When Okta was breached earlier this year through the Lapsus$ group’s attack on a third-party support contractor, it showed the same vulnerability pattern. These identity and communications providers are high-value targets precisely because compromising them gives attackers leverage across the entire ecosystem.
As engineers, we need to think about these trust dependencies the same way we think about single points of failure in our infrastructure. If your authentication flow depends entirely on Twilio delivering an SMS code, what’s your fallback? If your SSO provider gets compromised, how quickly can you rotate credentials and revoke sessions?
My Take#
I’ve been integrating Twilio APIs since before they went public, and I still think they’re excellent at what they do. But this breach is a reminder that no provider is immune, and building resilient systems means assuming any single component can be compromised.
The industry needs to accelerate the move away from SMS as an authentication factor. Not next year, not “when passkeys are more mature” — now. Every new project I start uses WebAuthn or TOTP as the primary second factor, with SMS only as a last-resort fallback that I’d honestly rather not offer at all.
The attack itself was embarrassingly simple. The defense doesn’t have to be complicated either. Hardware keys, phishing-resistant protocols, and zero-trust architectures that limit blast radius when (not if) a breach occurs. We have the tools. We just need the will to deploy them.