Twilio discloses breach caused by Codecov supply chain hack
Twilio utilizes Codecov tools including the previously compromised Bash Uploader script. It said that a "small number" of customer emails were potentially exposed.
Another Codecov supply chain attack victim has come forward, and this time it's cloud communications provider Twilio.
Twilio posted a blog Tuesday disclosing that a "small number" of customer emails had "likely been exfiltrated by an unknown attacker" who cloned Twilio's code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.
"On April 22, 2021, we received a notification from GitHub.com that suspicious activity had been detected related to the Codecov event and a Twilio user token that had been exposed," the blog read. "GitHub.com had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov."
The blog post explained that Twilio uses Codecov code coverage tools, including the compromised Bash Uploader script, in a small number of its projects.
After they identified the suspicious activity and found that some customer emails had been in the repositories, they initiated a security response that included a review of their security, notifying customers with exposed information and rotating all "potentially exposed credentials and secrets." The post concluded by saying that they have no indication that any other customer data was accessed or at risk.
In a section of the blog post titled "What are we doing to prevent similar issues in the future?" the cloud communications provider said that it uses "a robust third-party security team" to evaluate vendors, both new and existing.
"This process ensures our technology supply chain always meets our standards for security. When we become aware of an incident or vulnerability within that supply chain, we move quickly to remediate the issue or remove the software from our environment," the post read.
It is unclear whether Twilio has removed Codecov or dropped it as a vendor.
SearchSecurity asked Twilio whether the company had any indication regarding the attacker's identity; the spokesperson declined to comment.
Twilio marks the second known company to disclose a security incident related to the supply chain attack involving Codecov. Cloud infrastructure vendor HashiCorp disclosed a breach on April 22. Like Twilio, a key part of the company's response involved rotating relevant credentials.
Alexander Culafi is a writer, journalist and podcaster based in Boston.