In August 2022, Twilio disclosed a phishing-driven intrusion that had compromised employee credentials and exposed data belonging to a subset of customers. Two months later, the company supplemented the initial disclosure by acknowledging a separate June 2022 incident involving the same threat cluster, in which an employee was convinced through voice social engineering to provide credentials that permitted limited access to customer contact information. By late 2022, Twilio's investigation had connected the intrusions to the activity group publicly tracked as 0ktapus or Scatter Swine, a cluster that targeted more than 130 organizations in a coordinated smishing campaign.
Twilio is a platform company. Its messaging APIs underpin authentication flows, customer notifications, and application-to-person communication for thousands of downstream services. A compromise at Twilio is therefore never contained to Twilio; it propagates through whatever services rely on Twilio's APIs, SMS delivery, and identity primitives. Two years later, the incidents remain a useful case study for any B2B vendor that sits inside other companies' authentication or notification paths.
Timeline and tradecraft
The publicly documented timeline runs roughly as follows. In June 2022, a single Twilio employee responded to a voice-based social engineering call, providing credentials that allowed the attacker to access a limited set of internal tools. The intrusion was brief and, at the time, Twilio concluded it had no material customer impact. In early August 2022, multiple Twilio employees received SMS messages that impersonated IT staff and directed them to a credential harvesting site. At least one employee entered credentials that, when combined with a session token capture, permitted access to internal systems including tooling that could impact customer accounts.
Twilio's own August disclosure described the attacker as "sophisticated," with the ability to rotate infrastructure, match employee names to phone numbers using publicly available data, and craft messages tailored to the target. The connection to 0ktapus emerged through Group-IB's research, which demonstrated that the same phishing kit, the same reverse-proxy credential harvester, and the same Telegram exfiltration channel were used against a campaign of more than 130 targets spanning telecom, cryptocurrency, and SaaS. Twilio was one of several victims whose downstream customers, notably including services relying on Twilio for SMS-based two-factor authentication, were affected.
Downstream propagation
The most widely discussed downstream impact involved Authy, Twilio's two-factor authentication product. Twilio disclosed that the 0ktapus-aligned attackers had registered additional Authy devices to a small number of customer accounts, enabling account takeover for services that used Authy as the second factor. Signal, which used Twilio for phone-number verification, disclosed that approximately 1,900 users had their phone numbers re-registered and that an attacker could have received SMS verification codes for those accounts during the window of access. Other Twilio customers, including organizations in cloud infrastructure and identity, issued their own notices acknowledging that customer data had been queried via the compromised tooling.
The propagation pattern here is characteristic of the communications tier of the supply chain. Twilio did not ship malware; no dependency was poisoned. The attackers used legitimate tooling, exposed via a legitimately authenticated session, to take actions that looked like customer service work. From the perspective of any downstream service, the API calls originated from Twilio's own systems with Twilio's own credentials. There was no anomaly in traffic shape, no malicious binary, no hash to match against a threat feed.
Four structural lessons
Identity is the supply chain. Twilio's incidents were not bugs; they were identity compromises. The attacker succeeded because Twilio, like most organizations in 2022, relied on passwords and TOTP for employee authentication. Once credentials and a session token were captured via reverse-proxy phishing, the multi-factor check was a speed bump rather than a wall. The broad industry response, adoption of phishing-resistant authentication using FIDO2 or WebAuthn, has accelerated considerably since. For B2B vendors, the lesson is unambiguous: if your employees can be phished out of their credentials, your customers can be breached through you.
Internal tools are customer-facing. Twilio's internal administrative tooling was never intended to be exposed to customers, but its capabilities, registering Authy devices, resetting verification flows, mapping phone numbers to accounts, were directly customer-impacting. Many vendors maintain similar "back of house" tools without the scrutiny applied to customer APIs. A supply chain aware vendor treats internal tooling as a privileged customer interface, subject to the same logging, anomaly detection, and blast-radius limits as production services.
Disclosure shapes downstream response. Twilio's August 2022 disclosure was widely praised for being reasonably specific and prompt. The October supplement, acknowledging the earlier June incident that had been closed without customer notification, was less well received. For downstream customers trying to conduct their own impact analysis, the difference between "disclosed within a week" and "disclosed five months later" is the difference between actionable mitigation and retrospective cleanup. Vendors in supply chain positions should calibrate disclosure norms to the reality that their incidents become their customers' incidents.
Shared infrastructure creates shared fate. The 0ktapus cluster was notable because a single campaign, with a single phishing kit and a single operator, yielded access to more than 130 organizations. The attackers did not specialize in Twilio; they specialized in corporate identity providers and reverse-proxy phishing. Once a technique worked against one tenant, it scaled trivially. Downstream customers cannot insulate themselves from this dynamic by evaluating vendors individually. They need to understand the aggregate attack surface of their vendor ecosystem.
What downstream customers should have done
In retrospect, a downstream customer of Twilio could have reduced exposure in three ways. They could have separated the "delivery channel" from the "authentication factor," using Twilio for SMS delivery while relying on a non-SMS second factor wherever possible. They could have monitored for anomalous Authy device registrations as a first-class signal rather than relying solely on Twilio's detection. And they could have maintained a break-glass plan for the scenario in which Twilio's tooling itself was untrusted, including the ability to route around SMS verification for sensitive account changes.
None of these mitigations was obvious in 2022. All of them are tractable today, and all of them derive from a posture that assumes the vendor will eventually have an incident.
How Safeguard Helps
Safeguard helps organizations reason about vendor incidents like Twilio's by combining supplier risk tracking with dependency-aware impact analysis. Teams can identify which products and pipelines depend on a specific vendor's APIs or client libraries, correlate that inventory with public incident timelines, and scope impact queries to the services most likely affected. The platform surfaces identity and authentication dependencies explicitly, so that a breach in a communications provider or identity vendor maps to the applications whose 2FA or notification flows rely on it. Vendor questionnaires and continuous monitoring signals live in the same workspace as the SBOM, keeping supplier posture alongside technical inventory. For incident response, Safeguard produces a prioritized list of downstream services and the controls that should be reviewed first.