The fallout from this month’s breach of security provider Twilio keeps coming. Three new companies—authentication service Authy, password manager LastPass, and food delivery service DoorDash—said in recent days that the Twilio compromise led to them being hacked.
The three companies join authentication service Okta and secure messenger provider Signal in the dubious club of Twilio customers known to be breached in follow-on attacks that leveraged the data obtained by the intruders. In all, security firm Group-IB said on Thursday, at least 136 companies were similarly hacked, so it’s likely many more victims will be announced in the coming days and weeks.
The compromises of Authy and LastPass are the most concerning of the new revelations. Authy says it stores two-factor authentication tokens for 75 million users. Given the passwords the threat actor has already obtained in previous breaches, these tokens may have been the only things preventing the takeover of more accounts. Authy, which Twilio owns, said that the threat actor used its access to log in to only 93 individual accounts and enroll new devices that could receive one-time passwords. Depending on who those accounts belong to, that could be very bad. Authy said it has since removed unauthorized devices from those accounts.