Twilio data breach: what happened and how to protect yourself

Twilio, a global communications and multi-factor authentication provider, has faced several cyberattacks in recent years—from sophisticated phishing campaigns to large-scale phone number leaks.

A Twilio data breach can have both direct and indirect effects on millions of people as the company powers login systems for widely used apps like Signal, Okta, and even major banking platforms.

This article breaks down what happened in the Twilio incidents, what data was exposed, and how those breaches may affect users. Most importantly, it outlines the steps you can take to protect yourself if your information was impacted.

What is Twilio and why was it targeted?

You may have never heard of Twilio, but your favorite apps might rely on it to send verification codes or handle video calls.

Twilio is a cloud communications platform that lets developers and businesses add communication features to their software using APIs. Think of it as a middleman between apps and global telecom networks.

Twilio also offers specialized services such as Authy, a multi-factor authentication app that delivers one-time codes. Its Verify API enables apps to confirm user identities through SMS, voice, or push notifications. Twilio also owns SendGrid, a platform used by businesses to manage large-scale email marketing campaigns.

Because Twilio handles communications and authentication for countless businesses, it is an appealing target for cybercriminals. Its systems contain phone numbers, verification codes, and enterprise metadata that attackers can use for phishing, smishing, identity theft, or SIM-swap attacks. A compromise of Twilio or one of its vendors can also provide an attack path into the users of connected platforms.

Twilio hack 2022: customer data stolen in a phishing attack

In August 2022, some of the Twilio employees fell victim to a phishing attack designed to steal their credentials and access customer data.

The employees received faux IT messages urging them to update their passwords or review new schedules. The texts contained the employee’s actual names and legit-looking URLs leading to a fake Twilio sign-in page. Some workers tried to log in, revealing their user credentials.

Hackers from the infamous “Oktapus” group used the stolen credentials to access Twilio’s internal systems and compromise third-party customer data. The attack affected 163 customers and 93 Authy users. This may not seem like a lot, but bad actors managed to steal some customer data and added new devices to the Authy hacked accounts.

This security breach triggered related incidents across several platforms that use Twilio’s services, including the Okta identity and access management system breach, the Signal messaging app security incident, and the DoorDash delivery platform data breach. Okta confirmed that customer mobile phone numbers and texts with one-time passwords were compromised during the attack. 

According to the Twilio breach notification, the company quickly revoked access for employees who fell for the phishing scam and conducted an external investigation. The attack was part of a larger campaign that targeted over 130 organizations.

Twilio security breach 2024: Authy hacked leaking 33M user phone numbers

Another Twilio breach happened in 2024, when hackers took advantage of an unauthenticated endpoint in the Authy API.

In other words, Authy’s API lacked proper access controls. Anyone could send a request and receive confidential information indicating whether a phone number was linked to an Authy account. Hackers automated millions of such requests, compiling the responses into a massive list of Authy users’ phone numbers.

So, was Authy hacked? Yes and no. This Twilio security breach compromised 33 million account IDs, linked phone numbers, and other non-personal data. But, Authy accounts and other internal Twilio systems were not breached. This technique resembles the attack on Twitter via an unsecured API.

The Twilio incident came to light when the hacking group ShinyHunters announced on a dark web forum that they were selling the exposed phone numbers. Twilio confirmed the data breach in  a security alert published on its website.

The company also quickly patched the unauthenticated API endpoint and released security updates to the app. Users were warned of potential phishing and smishing attacks.

Alleged Twilio data breaches 2025: SendGrid and Steam controversy

Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available

In April 2025, a hacker using the alias “Satanic claimed to have breached Twilio’s SendGrid platform on a dark web forum. The threat actor put up a dataset of 849,000 records for sale, allegedly containing both personal and organizational information. Twilio, however, assured users that no new data breach took place. Although the news initially gained traction, the dataset’s authenticity was soon questioned, given Satanic’s history of reposting previously leaked data.

In May 2025, another alleged Twilio incident took place. Steam, a game distribution platform that uses Twilio services, suffered a data breach. The attack was attributed to a threat actor Machine1337, who offered a 89 million record dataset for sale on the dark web. It allegedly contained 2FA codes, along with SMS logs and associated phone numbers. While some blamed Twilio backend systems for the breach, the company denied any new security incidents.

These incidents could also be a result of third-party supply chain compromises because of how interconnected modern communication systems are. It remains unclear what exactly happened.

What data was exposed in the Twilio incidents and why it matters

None of the Twilio hacks exposed sensitive personal data, but even the so-called “nonsensitive” information can be misused. Combined, sensitive and nonsensitive personally identifiable information (PII) can power elaborate phishing and smishing (phishing via SMS) scams and ID theft.

Even knowing that a phone number is tied to accounts with two-factor authentication can cause harm. Threat actors may try to convince the telephone provider to transfer the number to a new SIM, a technique known as SIM swapping, to bypass security checks.

How did Twilio respond to its data breaches?

After the 2022 Twilio data breach, the company revoked the compromised employee credentials, conducted a thorough forensic investigation, and notified the affected customers. They also posted frequent and detailed blog updates available to all users.

All workers received additional training on phishing, and the company invested in enhancing its cybersecurity defenses. They adopted FIDO2-based passwordless authentication, which is a technology that enables passwordless logins using tokens and biometric data.

The 2024 Twilio incident prompted a quick API patch and Authy app updates. The messaging giant also urged customers to stay on the lookout for phishing attacks, which often happen after a data leak.

Regarding the alleged 2025 hacks, the company strongly denied suffering another cybersecurity incident and attributed the leaks to third parties.

Although Twilio’s communication was reasonably transparent, incidents kept emerging. Repeated issues seem to have eroded user trust in the safety of their data with Twilio.

Legal and reputational consequences of the Twilio breach 

Law firms, such as Schubert Jonckheer & Kolbe LLP, are investigating the 2024 Authy leak that exposed 33.4 million phone numbers and soliciting claimants for a class action lawsuit. 

Although class actions often take years, reputational damage is immediate. Many users can’t trust Twilio with their information anymore and have switched over to more reliable Authy alternatives. Twilio’s relationship with its enterprise-level clients, especially the ones that were publicly impacted by the 2022 incident (like Okta, Signal, and DoorDash), has also taken a toll.

How to protect your data if you use Twilio or Authy

If you use any of the Twilio solutions, it’s a good idea to take these steps to protect yourself.

• Update the Authy app immediately. After the 2024 Authy hacked incident, Twilio advised all users to update the app. The latest app version contains important security patches and bug fixes. These updates often close vulnerabilities that hackers could exploit.
  
• Request port protection from your carrier. Port protection feature prevents unauthorized number transfers, also known as SIM swapping. 

• Enable SIM card lock. This feature won’t let anyone use your SIM card on a new device without providing a PIN. This may not protect you from cyberattacks, but it can make a big difference if your phone gets lost or stolen.

• Switch to hardware keys or authenticator apps that don’t require phone numbers. SMS codes can be intercepted or redirected. Consider using a hardware security key, such as YubiKey, or apps that work via email, such as Google Authenticator and Microsoft Authenticator.

• Stay alert for phishing/smishing attempts. After any data breach, customers see a rise in phishing attacks. But the reality is, you should always be on the lookout for social engineering scams. Create a habit of double-checking the sender’s email address, don’t click on sketchy links, and never share verification codes. Remember that no legitimate service will ask for sensitive information over call, text, or email.

• Check if your number or email has been leaked. Specialized data breach monitoring tools, such as Have I Been Pwned and, as of recently, Onerep, can be used to check if your information has been part of known data breaches. If your data was exposed, make sure to change your passwords and monitor all your accounts for suspicious activity. We’ve added this feature to all Onerep plans.

How Onerep can help reduce your online exposure

Onerep removes your personal data from data brokers and people-search websites. These sites collect and sell publicly available information to anyone  including cybercriminals who can use it to craft targeted phishing attacks or commit identity theft.

Onerep’s process is simple: the platform scans over 240 sites to identify where your information appears and automatically sends opt-out requests to remove it. Once the exposed data is taken down, Onerep continues to monitor these sites to ensure your information stays private and secure.

FAQs about the Twilio data breach

Has Twilio been hacked?

Yes, Twilio experienced cybersecurity incidents. In 2022, bad actors used phishing to hack Twilio’s internal systems. In 2024, Authy API was used to reveal sensitive client information. But, Authy user accounts were not actually hacked.

Should I worry about the recent Twilio breach?

You shouldn’t worry, but tighten your cybersecurity defenses. Twilio data breaches exposed “non-sensitive” information, but even that can be misused. We advise all our readers to remain reasonably wary of phishing and suspicious activity at all times. 

Is Authy still safe to use?

Authy is still a great tool for MFA, especially compared to SMS-based codes. Remember that no platform is foolproof, and data breaches are growing increasingly common. MFA apps that don’t ask for your phone number might be more secure, but that’s not to say you should abandon Authy. Only you can decide what services you trust with your information.

What should I do if my phone number was leaked?

If your phone number was exposed, consider enabling SIM lock and requesting port protection, update your passwords and use authenticator apps or hardware security keys, be on the lookout for phishing, and monitor your accounts for unusual activity.