Twilio Data Breach: How SMS Phishing Compromised a Security Company and Lessons for 2026

Communications giant Twilio confirms a data breach affecting customer accounts after hackers successfully used SMS phishing to trick employees into revealing login credentials. This well-orchestrated attack highlights the ongoing threat of phishing to corporate data security.

Ozan Ucar, Founder and CEO of Keepnet

Last Updated: 2026-06-01

Twilio Data Breach Exposes Customer Data through SMS Phishing Attack

Twilio Data Breach: How Hackers Exploited SMS Phishing to Access Customer Data

In August 2023, Twilio confirmed that hackers had gained unauthorized access to customer data. The attackers, using a well-coordinated SMS phishing campaign, tricked Twilio employees into handing over their login details, effectively bypassing internal security measures. The breach has raised critical questions about the ongoing vulnerabilities that large tech firms face and how they can be better protected.

How the Attack Happened: Sophisticated SMS Phishing Campaign

Twilio revealed that the attack began with a series of SMS phishing messages that impersonated the company’s IT department. These messages suggested that employees’ passwords had expired or that their schedules had changed, prompting them to click on a malicious link. The link directed them to a fake web address, where employees were encouraged to enter their login credentials.

By using industry-specific language and internal company terms such as “SSO” (single sign-on), the attackers added a layer of authenticity to the messages, which increased the likelihood that employees would fall for the scam. This strategy is typical of spear phishing, where attackers craft highly specific messages to appear genuine and trustworthy.

Why SMS Phishing Remains a Top Cybersecurity Threat

SMS phishing, or “smishing,” is increasingly common as employees rely heavily on mobile devices and receive numerous company messages. SMS phishing attacks can be harder to detect than email-based phishing because they’re often quick, lacking the traditional red flags such as misspellings or suspicious sender addresses. Twilio’s case highlights how even companies that build security solutions, including tools for two-factor authentication (2FA), remain vulnerable to SMS-based attacks.

Related Reading: Learn more about the role of human error in successful cybersecurity breaches.

Twilio’s Response: Collaborating with Providers to Shut Down Malicious URLs

Upon discovering the breach, Twilio acted quickly, working with telecom operators and hosting providers to block the malicious URLs used by attackers. They also collaborated with U.S. providers to stop the spread of malicious messages. However, Twilio stated that despite these efforts, the threat actors continued to switch telecom operators and hosting providers, adapting their approach to avoid detection.

Twilio’s acknowledgment of the attackers’ sophistication underscores a critical reality in today’s cybersecurity landscape: Phishing attacks are becoming increasingly organized, methodical, and difficult to counter.

Related Resource: Understand how phishing simulators can improve company defenses by simulating realistic attack scenarios. Learn more here.

Potential Customer Impact: What We Know So Far

Although Twilio confirmed unauthorized access to certain customer accounts, it has not yet disclosed how many clients were affected or what specific data was compromised. With over 150,000 corporate clients, including major names like Uber and Facebook, the potential impact of the breach could be significant, depending on the extent of data exposure.

Twilio’s breach could have broader implications for companies that rely on its services for authentication and communication. If login credentials or other sensitive information have been accessed, this could expose Twilio’s customers to secondary attacks, such as account takeovers or social engineering campaigns.

Further Reading: To learn more about how phishing risk can affect businesses across industries, check out our article on phishing risk trends for 2024.

Lessons from the Twilio Breach: Reducing SMS Phishing Vulnerabilities

This incident with Twilio underscores the importance of recognizing and addressing the risks associated with SMS phishing. Here are some measures that can help prevent similar breaches:

1. Implement Multi-Layered Authentication

While Twilio offers two-factor authentication (2FA) services, a single factor such as 2FA may not be enough, especially if hackers can phish login credentials. Companies should consider multi-layered authentication, including biometric verification or push notifications on secure devices.

2. Regular Employee Training on Phishing Awareness

Cybersecurity awareness training is crucial in helping employees recognize phishing attempts. Training should cover various phishing methods, including SMS phishing. Employees should learn to verify the authenticity of messages, especially those claiming to come from the IT department.

Related Resource: Discover the importance of security awareness training for building a resilient workforce.

3. Use Phishing Simulators for Realistic Training

Phishing simulators are effective tools to prepare employees for real attacks. By mimicking genuine phishing attempts, they help employees practice identifying and reporting potential threats in a safe environment.

Explore our Phishing Simulator to understand how it can help strengthen your company’s security: Learn more here.

4. Collaborate with Telecom Providers and Regulators

As Twilio’s response indicates, collaboration with telecom providers and regulatory agencies can be instrumental in shutting down malicious actors. Telecom providers should work together to monitor for abnormal messaging patterns that could indicate phishing campaigns.

The Rise of Well-Organized Phishing Groups

Twilio’s breach highlights the growing trend of organized phishing groups capable of bypassing traditional security measures. These groups are methodical, utilizing technical and psychological tactics to deceive even security-conscious employees. Their sophistication is evident in how they exploit small vulnerabilities, such as text messaging, to gain access to otherwise secure systems.

Further Reading: Learn about evolving phishing tactics like QR code phishing and how businesses can combat these threats in 2024. Read more here

Final Thoughts: The Need for Continuous Vigilance

The Twilio breach serves as a stark reminder that SMS phishing is a potent attack vector that requires continuous vigilance and robust defensive strategies. With increasingly organized threat actors using sophisticated techniques, companies must stay proactive by combining technology, training, and collaboration with external partners to close gaps in their defenses.

To protect your organization, it’s essential to understand that every digital touchpoint, from SMS to email, can be exploited. Prioritizing security awareness, implementing rigorous multi-layered authentication, and leveraging phishing simulators are critical steps toward mitigating these risks.

Editor's Note: This article was updated on March 12, 2026.

Editor's Note: This article was updated on June 1, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Implement effective phishing simulations that mimic real-world SMS and email attacks, preparing employees to spot phishing attempts instantly.

Customize security awareness training to cover a range of phishing tactics, including spear-phishing and smishing, for complete defense.

Track your company’s human risk score to benchmark and improve cybersecurity readiness across all levels.

Frequently Asked Questions

What happened in the Twilio data breach?

In August 2022, attackers from a group tracked as Scatter Swine (0ktapus) sent SMS phishing messages to Twilio employees, impersonating the company's IT department. The messages claimed that passwords had expired or schedules had changed and directed employees to a fake login page. Employees who entered their credentials gave attackers access to Twilio's internal systems, exposing data from an undisclosed number of customer accounts. Twilio had over 150,000 corporate clients at the time, making the potential downstream impact significant.

What is SMS phishing (smishing) and how does it work?

Smishing is a form of phishing delivered via SMS text messages rather than email. Attackers send messages that appear to come from a trusted source such as an employer's IT department, a bank, or a delivery service. The message typically creates urgency, directing the recipient to click a link and take immediate action. Because SMS messages bypass email security filters and recipients are often less suspicious of texts than emails, smishing has a higher initial success rate than many email phishing campaigns. Learn more about targeted phishing techniques.

Why is SMS phishing harder to detect than email phishing?

SMS messages do not go through the same security filtering infrastructure as corporate email. There is no equivalent of a secure email gateway for SMS. Messages also display in a condensed format on mobile screens, making it harder to inspect the full URL before tapping. The personal and informal nature of SMS means recipients are conditioned to act quickly on texts, and the absence of typical phishing indicators (such as generic salutations or broken formatting) makes smishing messages harder to identify at a glance.

What is 2FA and why was it not enough to stop the Twilio breach?

Two factor authentication (2FA) adds a second verification step to the login process, typically a code sent via SMS or an authenticator app. In the Twilio breach, attackers used real time phishing: they captured credentials on their fake login page and immediately used them to log in to Twilio's real systems, simultaneously capturing the 2FA code by including a 2FA prompt on their fake page. This technique, called an adversary in the middle attack, bypasses SMS based and TOTP based 2FA. Phishing resistant MFA methods such as hardware security keys or passkeys are not vulnerable to this technique.

Who was behind the Twilio attack and what else did they target?

The Twilio attack was attributed to a threat group tracked as Scatter Swine, also known as 0ktapus. The group ran a large scale smishing campaign targeting employees at over 130 organizations in 2022, using a phishing kit designed to capture credentials and 2FA codes in real time. Other targets in the same campaign included Cloudflare, Signal, and DoorDash. The attack on Twilio was particularly significant because Twilio provides authentication services to other companies, meaning the breach provided access to downstream customers.

What is a supply chain attack and how did the Twilio breach create supply chain risk?

A supply chain attack occurs when an attacker compromises a vendor or service provider to gain access to that provider's customers. The Twilio breach created supply chain risk because Twilio provides SMS based authentication and communication services to thousands of corporate clients. By accessing Twilio's systems, attackers could potentially intercept 2FA codes sent on behalf of Twilio's customers, use Twilio's messaging infrastructure to send malicious messages, or access customer contact information for secondary attacks.

How should employees respond to unexpected messages claiming to be from IT?

Employees should treat any unexpected SMS or message claiming to require immediate password action, schedule changes, or login verification as suspicious. The correct response is to contact the IT department directly through an independently verified channel (such as an internal directory number or ticketing system) rather than following the link in the message. Organizations should establish and communicate a clear verification procedure so employees know exactly what to do when they receive messages of this type, reducing the pressure to act immediately.

What is phishing resistant MFA and how does it protect against smishing attacks?

Phishing resistant MFA refers to authentication methods that cannot be intercepted by an adversary in the middle attack. Hardware security keys (such as FIDO2 compliant devices) and passkeys verify the authenticity of the login domain as part of the authentication process, so they will not produce a valid response on a fake login page even if the user attempts to log in there. This is the most effective technical control against the type of real time phishing used in the Twilio attack. Organizations should prioritize migrating high risk accounts to phishing resistant MFA.

How can smishing simulation training reduce the risk of SMS phishing attacks?

Smishing simulation training sends realistic but harmless SMS phishing messages to employees and measures who clicks, who enters credentials, and who reports the message. Employees who interact with the simulation receive immediate contextual feedback explaining the red flags they missed. Over repeated training cycles, employees build the habit of pausing and verifying unexpected messages rather than complying with them. Organizations using Keepnet's Smishing Simulator can measure employee susceptibility to SMS phishing specifically and track improvement over time.

What broader lessons should organizations take from the Twilio breach in 2026?

The Twilio breach demonstrates that even organizations that specialize in security related services can be compromised through the human layer. No technical sophistication is required to execute an effective smishing campaign: the attackers used simple but psychologically effective messages, a convincing fake page, and speed. The defenses that work are also straightforward: phishing resistant MFA on all critical accounts, clear employee verification procedures, and regular training on human error in security breaches that includes SMS specific scenarios.