Twilio Backup Carrier Exposed “SMS-Related” Data Via Public Amazon Bucket

A backup carrier for cloud-based communications platform Twilio was found to have an AWS S3 bucket open to the internet for several days, exposing “SMS-related” data including millions of one-time client passwords.

Security researchers came across the open bucket by chance, and found that it contained one-time passwords from a broad range of high profile clients such as Amazon, Microsoft, and Google. While many of these would have also required an attacker to know the user’s account password, some included “one-click” links that could provide immediate authentication.

Exposed bucket potentially allowed access to user accounts

The impacted organization is IdentifyMobile, a downstream carrier of two-factor authentication SMS messages for Twilio backup carrier iBasis. In a case of what appears to be a temporary misconfiguration, IdentifyMobile made an AWS S3 bucket public for about five days. This bucket contained authentication messages sent between January 1, 2024, and May 15, 2024.

Twilio has since sent out an email advising impacted parties of the situation. The email says that it and iBasis conducted a full investigation and found that while no personal message data was exposed, it remains possible that some non-personal data such as message bodies without login tokens may have been exposed. Twilio has sent out a CSV file listing the exposed message SIDs to impacted recipients.

There is also no specific indication that threat actors accessed the exposed bucket during the vulnerability window. The bucket was discovered by Chaos Computing Club (CCC), a known and reputable group of security researchers. The researchers said that discovery of the bucket was essentially a case of random happenstance, as they were in the “right place at the right time” to guess at the subdomain “idmdatastore” being publicly available during this window.

In total, over 200 million of these messages sent by about 200 companies were exposed in the bucket. Follow-up with Twilio’s customer support by researchers indicates that these were from a narrow range of countries: France, Italy, Burkina Faso, Ivory Coast, and Gambia. Twilio has also told customers that iBasis has ceased using IdentifyMobile as a router.

Account risk unclear, but access by attackers “can’t be ruled out”

Due to the fairly narrow breach window and CCC’s unusual method of uncovering the bucket, it is possible that no one else came across it. However, the researchers advise that they “cannot rule out” the possibility.

Companies that use the service for 2FA include Amazon, Airbnb, DHL, Microsoft and Google. In some cases, the 2FA code would not be sufficient to compromise an account. However, some services may have sent a one-time login link that attackers could have used to access the account if they came across it before it expired.

Though these codes and messages are outdated and there is no confirmation of threat actor access, impacted parties should be aware of possible phishing attempts making use of this information going forward. An attacker would have access to the user’s phone number along with the service they get 2FA messages from, potentially enabling a few approaches ranging from SIM swaps at the more difficult end to simply sending them a malicious link pretending to be a 2FA message at the easiest end.