At Twilio, your Account SID and Authentication Token act as your credentials for our REST API, and are very powerful tools. Many fraudsters are aware of this, unfortunately, and may use novel fraud tactics to access your Twilio project including phishing, or searching for and finding your Account SID and Auth Token from public code on a site such as Github.
If you inadvertently shared these credentials, or left them exposed, it could be easy for someone to access your account, impersonate you, and commit thousands of dollars of fraudulent activity in a very short amount of time. An example of this could be hundreds of outbound, unauthorized calls and text messages impersonating financial or government institutions for the purpose of phishing. They can even change the URL settings of your Twilio phone numbers!
What is an Account Takeover?
An Account Takeover occurs when someone accesses your account fraudulently, and without your authorization. Here are some common behavior signals to look out for:
- Unauthorized calls or messages sent from your account
- Messages containing phishing links such as directing to a fake PayPal, Facebook, or a financial institution’s login page
- Unauthorized email address or password change
- Outbound traffic to countries you don't typically send traffic to
Determining if an Account is Actually Compromised
If you notice unusual activity, but you’re unsure if it’s an Account Takeover, one proactive step you could take is to search for your Account SID on GitHub. Even if you’re certain that you did not post anything, someone from your organization could have, and this would be the quickest step to find out. Here's how to search:
- Access the Project Settings page in Console, and copy your Account SID.
- Access Github.com.
- Paste your Account SID in the Github search field.
Alternatively, you can insert your Account SID into this URL, replacing
AC123abc456def789ghi0j, and then copy and paste this into your web browser:
In the search results, you're hoping to see a
0 in the Code field.
If you see a
1 (or any number other than
0), this means that your account may be compromised, and action should be taken. Click Code to see specific information:
- When the code was uploaded to the site
- Who uploaded it
- Account SID
- Auth Token
Account Compromised: Next Steps
If you find that your Twilio project has been compromised, or is vulnerable due to a leak, please immediately do the following:
1. Change the passwords for all users associated with your account.
- We recommend using a long passphrase as suggested by our Minimum Password Requirements.
- If you are using the same password for your e-mail provided, we strongly suggest you rotate the password for your e-mail provider as well, and use a different password for each service.
- If the compromised account has any subaccounts, those subaccounts' Auth Tokens need to be reset as well.
- Notice: When a new Auth Token is promoted to primary, the old token is rendered essentially useless. Immediately after promoting the new token, all requests to Twilio using your old Auth Token will result in an error. Any existing Twilio apps using your old token will need to be updated with the new Auth Token before they can work successfully again.
3. Delete all existing API-key(s)
- Click on API-keys under settings and delete your API key here: https://www.twilio.com/console/project/api-keys
- Please note, you can only create a new API-key once your account is active
4. Enable Two-Factor Authentication (2FA) for all users associated with your account.
- This will add an additional layer of protection to your project by requiring a security code (sent by SMS or a voice call) be entered before logging in.
5. Verify that any applications or Twilio integrations you are running are properly secured, and running the most up-to-date versions of the software.
- This includes any frameworks (e.g. Wordpress) or administrative tools (e.g. cPanel) that are often not updated and frequently targeted by malicious actors.
- Ensure that your applications are not running in a debug mode which could inadvertently expose your tokens.
- Exercise caution when sharing your Twilio code publicly by removing or hiding your Authentication Tokens from the code before publishing it.
6. Check any computers that you use to login to the Twilio services for Malware and run Anti-Virus/Anti-Malware software.
7. Audit your Voice Geographic Permissions and SMS Geographic Permissions to restrict calling or sending SMS only to countries you expect to call or message, read more about it here: Protect Your Account with Voice Geo Permissions. You can also set Usage Triggers to set daily limits for any usage category.
8. Verify the email addresses associated with all users
- If you think any email addresses have been modified, change them.
9. Verify that the caller ID used to sign up for the account is unchanged.
- The caller ID is the phone number on which your 2FA is enabled on
- If you think those numbers have been modified, change them.
10. Secure your website by closing ports, removing unnecessary files, and making sure your site and its integrations are up to date.
11. Review your full website permissions structure and ensure that none of your Authentication Tokens are stored in plain text and visible to the public.
12. Consider hiring a third party security company to assist with all of the above and with securing your accounts.
Finally, we ask that you please reach out to our Fraud Operations team. They can review your project for any other fraudulent activity, and can reactivate your project if it has been suspended. They're also able to answer any other questions regarding the safeguarding of your account.
Please reach out to Fraud Operations via email at firstname.lastname@example.org.