Skip to content

Twilio: Security Incident July 2, 2024

On July 2, 2024, Perceptyx was notified (via email) by Twilio, a Perceptyx sub-processor for sending SMS messages, that they had a security incident involving customer SMS data due to their sub-processor inadvertently enabling public access to an S3 bucket operated by the Twilio 3rd party sub-processor. The incident, security steps taken by Twilio and its sub-processors, and the subsequent notification were all out of Perceptyx’s control, however, we are taking the incident seriously and have notified all the customers affected. If you have not been contacted by Perceptyx regarding this incident, then your organization’s information has not been found included in the data and no further action is needed on your part.

What You Need to Know:

To deliver messages in specific regions, Twilio relies on numerous carriers to maximize deliverability to their final destinations. Twilio was notified that iBasis (a Twilio backup carrier) had used IdentifyMobile (iBasis's further backup carrier) who inadvertently enabled public access on an AWS S3 Bucket during development work. Information contained in this bucket was made public from May 10-15, 2024, and accessed between May 13-14, 2024. Based on a joint investigation between IdentifyMobile and Amazon AWS, Twilio learned that a portion of this data was accessed by the Chaos Computing Club (CCC). CCC is a security research group that identifies security issues; CCC has confirmed that they are not holding any data downloaded from the AWS S3 Bucket. Twilio has reported that they do not have evidence that allows them to confirm that no other third party accessed the data.

Twilio does not own this bucket, and none of its systems have been compromised in connection with this data exposure. This incident was the result of actions taken by IdentifyMobile and outside of Twilio’s control.

While Twilio is continuing to collaborate with these carriers to provide the most accurate information regarding this exposure, the portion of data exposed by IdentifyMobile related to SMS sent between January 1, 2024, and May 15, 2024

The Actions We’ve Taken:

We have reviewed all logs related to this incident and have determined that the messages are all auto-sent from Perceptyx on behalf of our customers, the information included in the SMS logs is:

  • Recipient mobile number
  • SMS message content
  • SMS Sender ID
  • SMS Timestamp

The message content includes survey invite, a link to the survey, and a standard greeting. Currently, we have no reason to expect any other data is involved. We are continuing to monitor the situation and will update our response accordingly.