Proactive Steps for Customers Experiencing Account Takeover

At Twilio, your Account SID and Authentication Token act as your credentials for our REST API, and are very powerful tools. Many fraudsters are aware of this, unfortunately, and may use novel fraud tactics to access your Twilio project including phishing, or searching for and finding your Account SID and Auth Token from public code on a site such as Github.

If you inadvertently shared these credentials, or left them exposed, it could be easy for someone to access your account, impersonate you, and commit thousands of dollars of fraudulent activity in a very short amount of time. An example of this could be hundreds of outbound, unauthorized calls and text messages impersonating financial or government institutions for the purpose of phishing. They can even change the URL settings of your Twilio phone numbers!

What is an Account Takeover?

An Account Takeover occurs when someone accesses your account fraudulently, and without your authorization. Here are some common behavior signals to look out for:

  • Unauthorized calls or messages sent from your account
  • Messages containing phishing links such as directing to a fake PayPal, Facebook, or a financial institution’s login page
  • Unauthorized email address or password change
  • Outbound traffic to countries you don't typically send traffic to

Determining if an Account is Actually Compromised

If you notice unusual activity, but you’re unsure if it’s an Account Takeover, a proactive step you could take is to search for your Account SID on GitHub. Even if you’re certain that you did not post anything, someone from your organization could have, and this would be the quickest step to find out. Here's how to search:

  1. Access the Project Settings page in Console, and copy your Account SID.
  2. Access Github.com.
  3. Paste your Account SID in the Github search field.
    acctTakeover_01.png

Alternatively, you can insert your Account SID into this URL, replacing AC123abc456def789ghi0j, and then copy and paste this into your web browser:

https://github.com/search?q=AC123abc456def789ghi0j&type=Code

In the search results, you're hoping to see a 0 in the Code field.
acctTakeover_02_B.png 

If you see a 1 (or any number other than 0), this means that your account may be compromised, and action should be taken. Click Code to see specific information:
acctTakeover_03.png 

  • When the code was uploaded to the site
  • Who uploaded it
  • Account SID
  • Auth Token

Account Compromised: Next Steps

If you find that your Twilio project has been compromised, or is vulnerable due to a leak, your Auth Token(s) must be changed in order to secure your account. Be sure to not only request a new token, but also promote the new token to primary; this is the only process to remove the old token from your project. For instructions, please see Auth Tokens and How to Change Them.

Notice: When a new Auth Token is promoted to primary, the old token is rendered essentially useless. Immediately after promoting the new token, all requests to Twilio using your old Auth Token will result in an error. Any existing Twilio apps using your old token will need to be updated with the new Auth Token before they can work successfully again.

Once your Auth Token has been changed, we suggest immediately enabling two-factor authentication (2FA) on your Twilio project. This will add an additional layer of protection to your project by requiring a security code (sent by SMS or a voice call) be entered before logging in.

Finally, we ask that you please reach out to our Fraud Operations group. They can review your project for any other fraudulent activity, and can reactivate your project if it has been suspended. They're also able to answer any other questions regarding the safeguarding of your account.

Please reach out to Fraud Operations via email at fraud@twilio.com.

Have more questions? Submit a request
Powered by Zendesk