Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Twilio Notice of Security Incident with 3rd Party Carrier
6 points by cuu508 on July 3, 2024 | hide | past | favorite | 6 comments
I received this in email:

---

[Alert] Notice of Security Incident With 3rd Party Carrier

You are receiving this email because Twilio has been notified that IdentifyMobile, a downstream carrier of our backup carrier iBasis, inadvertently exposed certain SMS-related data publicly on the internet. We conducted a thorough investigation in partnership with iBasis, and based on our findings, we believe that none of your messages containing personal data were exposed. While we have taken every measure to verify this, we cannot completely rule out the possibility of personal data exposure. Some non-personal data, such as message bodies without login tokens or marketing campaigns that don’t contain personal data, may have been exposed.

Here's what you need to know:

• IdentifyMobile, a downstream carrier used by iBasis (one of Twilio’s backup carriers) to route messages to their final destinations, made an AWS S3 bucket public from May 10-15, 2024. The bucket contained message-related data sent between January 1, 2024, and May 15, 2024.

• Chaos Computing Club (CCC), a known security research group, accessed some data but confirmed they are not holding any data downloaded from the AWS S3 Bucket.

• No Twilio systems were compromised as part of this exposure.

Actions we've taken:

• Started an investigation and escalated the issue to iBasis.

• Stopped traffic to iBasis where possible; iBasis ceased routing with IdentifyMobile.

• Continuing to work with carriers to get more details.

What you can do:

We recommend reviewing the SMS traffic you sent between January 1, 2024, and May 15, 2024, discussing the implications of an exposure with your internal team(s) and deciding if you need to engage with impacted individuals. If you need additional information regarding this incident, we are here to support you throughout this situation.

We apologize for any inconvenience and appreciate your understanding.

Sincerely,

Team Twilio




Thanks for sharing. We also got this at our company. We've reached out to their support for more details. Support have been unhelpful so far, providing extremely generic answers.

Will appreciate a comment if someone has or gets more information.


I will also ask their support:

1) Which countries it applies to. 2) What is their current and past policy for carriers storing message data.


I got some additional details from their support:

* The exposed data included mobile number, message content, SMS timestamp.

* Only France, Italy, Burkina Faso, Ivory Coast, and Gambia were impacted.

Twilio support also provided a CSV file listing the message SIDs for my account that were exposed. Unfortunately they say they cannot associate the message SIDs with recipient numbers. And I cannot either, as I have configured short log retention period (out of privacy concerns, ironically) :-/


Yes I received more info as well. Apparently they think that GDPR does not apply to them in this case. Good luck with that.

"To answer your questions:

1. Only France, Italy, Burkina Faso, Ivory Coast, and Gambia were impacted by this incident, only the traffic sent to these countries.

2. To provide you more context, Twilio’s carrier partners are not considered to be Twilio's processors (or Twilio's customers' subprocessors) under the GDPR because carriers transmitting communications content (i.e., Customer Content) are not considered to be processing the personal data contained in the communication. There are a number of reasons behind this positioning: • “Disclosure by transmission” is called out in the GDPR definition for 'processing' rather than transmission without disclosure. • A processor role does not fit the nature of telecoms services and the telecoms value chain; Confidentially (and security) of communications is safeguarded by the ePrivacy framework. • Guidance from the EDPB specifically covers “telecom operators” and does not specify a role for the carrier with respect to the content of the communication. • Communications content merely transits a communications network or service, without significant processing being involved as confidentiality of communications prohibits the carrier from gaining access. • Any other position would be impossible to implement given the complexity of the telecommunications value chain, with many parties involved in the origination, transit, and termination of communications content."


more background: https://www.ccc.de/en/updates/2024/2fa-sms

IdentifyMobile, a provider of 2FA-SMS, shared the sent one-time passwords in real-time on the internet. The CCC happened to be in the right place at the right time and accessed the data. It was sufficient to guess the subdomain "idmdatastore". Besides SMS content, recipients' phone numbers, sender names, and sometimes other account information were visible.


The email is unfortunately lacking in some details. Does this include all messages sent through Twilio or just in the country of this provider?

And why is this carrier storing messages on an S3 bucket? I don't see why they should store messages at all after the message has been processed, storing metadata should be sufficient for their records. It would be definitively be problematic according to GDPR, if IdentifyMobile is a Briths company then similar privacy laws should be in place?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: