Twilio has disclosed a security incident involving one of its third-party carriers in a security alert sent to its users. According to Twilio, iBasis (a backup carrier) had used IdentifyMobile (iBasis’s further backup carrier), which accidentally exposed certain SMS-related data to the public internet. This exposure resulted from a misconfigured Amazon Web Services (AWS) S3 bucket, which remained publicly accessible from May 10 to May 15, 2024.
The exposed data includes message-related information sent between January 1, 2024, and May 15, 2024. While Twilio’s investigation, conducted in partnership with iBasis, indicates that no messages containing personal data were exposed, the company acknowledges that it “cannot entirely rule out the possibility”. They state that some non-personal data, such as message bodies without login tokens or marketing campaigns devoid of personal data, may have been inadvertently exposed.
We conducted a thorough investigation in partnership with iBasis, and based on our findings, we believe that none of your messages containing personal data were exposed. While we have taken every measure to verify this, we cannot completely rule out the possibility of personal data exposure.
Twilio Alert Email
Twilio also mentioned the involvement of Chaos Computing Club (CCC), a well-known security research organization. CCC accessed some of the exposed data but confirmed that it holds no downloaded information from the AWS S3 bucket.
Discovering publicly exposed AWS S3 buckets often relies on a combination of automated scanning tools and search engines. Automated tools, like Bucket Finder and S3Scanner, can systematically search for open S3 buckets by checking for common naming conventions and DNS records.
Twilio clarified that they do not own the bucket in question, and none of their systems were compromised due to this data exposure. They emphasized that the incident was caused by actions taken by IdentifyMobile that were beyond Twilio’s control.
The company has taken several steps to mitigate potential risks and prevent future occurrences in response to the exposure. These measures include initiating an investigation, escalating the issue to iBasis, halting traffic to iBasis where possible, and ensuring iBasis has ceased routing with IdentifyMobile. Additionally, Twilio continues to work with carriers to gather more details about the incident.
Twilio advises its users to review the SMS traffic they sent during the affected period and assess the potential implications of the data exposure.
We asked Twilio about data protection
In response to inquiries about their message storage practices and compliance with privacy regulations, Twilio provided the following official statement to us:
To deliver messages in specific regions, Twilio relies on numerous carriers to route messages to their final destinations. One of Twilio’s carriers, iBasis, used a backup carrier, IdentifyMobile, who in turn inadvertently enabled public access on an AWS S3 Bucket during development work. Twilio does not own this bucket, and none of Twilio’s systems have been compromised.
Twilio
Unfortunately, this reads a bit like a canned response (it says precisely the same as it did in the alert email) and does not fully address the broader questions and concerns we raised.
There is no explanation for why the third-party carrier retained all the message content rather than just metadata. Even though Twilio does not own the bucket and its systems were not breached, it is responsible for ensuring its partners and carriers adhere to its data storage policies and privacy standards.
The response does not address how Twilio ensures compliance with GDPR and similar privacy laws (which we asked about), particularly in the case of IdentifyMobile, which could be subject to stringent privacy regulations if it operates within the UK or EU.
Updated at 7/11/2024 12:01 GMT: On July 11, the CCC group posted an official blog about the enormous scope of the IdentifyMobile security lapse. In total, 200M records from hundreds of companies were exposed. Read our report on CCC’s findings here.
