New ask Hacker News story: Email from Twilio sounds like a compromised credentials email
Email from Twilio sounds like a compromised credentials email
4 by jjeaff | 0 comments on Hacker News.
Received the below email from Twilio today. I don't remember ever using the 3rd party Twilioid app butand see no integration in my Twilio account. upon reading, they are recommending rotating all API keys, changing Twilio login passwords and even changing email passwords of accounts associated with Twilio and making sure that all attached phone numbers are correct. They even recommend assessing our server security and closing open ports, running malware scans, etc. Does anyone have any additional information on this situation? I would expect something like this after a big breach. But not a 3rd party app simply shutting down. =========== Ahoy! You are receiving this email from Twilio because your account has an integration with Twilioid, a discontinued, third-party Android app not affiliated with Twilio. What do you need to know? Twilioid has discontinued its app and asked users to rotate their auth tokens. What do you need to do? We recommend you stop using Twilioid and take the following steps to protect your Twilio account: Change all passwords associated with your Twilio account. You may also want to update the password for your e-mail provider. Reset the Auth Token for your parent account and subaccounts. Delete existing API-keys and create new API-keys. Enable two-factor authentication (2FA) for all account users. Verify that any applications or Twilio integrations are running secure, up-to-date versions that are not in debug mode. This includes frameworks (like Wordpress) and administrative tools (like cPanel). Check computers for malware and run anti-virus/anti-malware software. Verify user’s email addresses and change them if needed. Make sure that the caller ID used to sign up for the account hasn’t changed; this is the same number you enabled 2FA on. Change it if needed. Secure your website by closing ports, removing unnecessary files, and using up-to-date integrations. Review website permissions to ensure your authentication tokens aren’t stored in plain text and visible to the public. Sincerely, Team Twilio
4 by jjeaff | 0 comments on Hacker News.
Received the below email from Twilio today. I don't remember ever using the 3rd party Twilioid app butand see no integration in my Twilio account. upon reading, they are recommending rotating all API keys, changing Twilio login passwords and even changing email passwords of accounts associated with Twilio and making sure that all attached phone numbers are correct. They even recommend assessing our server security and closing open ports, running malware scans, etc. Does anyone have any additional information on this situation? I would expect something like this after a big breach. But not a 3rd party app simply shutting down. =========== Ahoy! You are receiving this email from Twilio because your account has an integration with Twilioid, a discontinued, third-party Android app not affiliated with Twilio. What do you need to know? Twilioid has discontinued its app and asked users to rotate their auth tokens. What do you need to do? We recommend you stop using Twilioid and take the following steps to protect your Twilio account: Change all passwords associated with your Twilio account. You may also want to update the password for your e-mail provider. Reset the Auth Token for your parent account and subaccounts. Delete existing API-keys and create new API-keys. Enable two-factor authentication (2FA) for all account users. Verify that any applications or Twilio integrations are running secure, up-to-date versions that are not in debug mode. This includes frameworks (like Wordpress) and administrative tools (like cPanel). Check computers for malware and run anti-virus/anti-malware software. Verify user’s email addresses and change them if needed. Make sure that the caller ID used to sign up for the account hasn’t changed; this is the same number you enabled 2FA on. Change it if needed. Secure your website by closing ports, removing unnecessary files, and using up-to-date integrations. Review website permissions to ensure your authentication tokens aren’t stored in plain text and visible to the public. Sincerely, Team Twilio
Comments
Post a Comment